P2P-Zone  

Go Back   P2P-Zone > Peer to Peer
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Peer to Peer The 3rd millenium technology!

Reply
 
Thread Tools Search this Thread Display Modes
Old 23-01-13, 10:23 AM   #1
JackSpratts
 
JackSpratts's Avatar
 
Join Date: May 2001
Location: New England
Posts: 10,013
Default Peer-To-Peer News - The Week In Review - January 26th, '13

Since 2002


































"The Internet belongs to no man, industry, or government." – Kim Dotcom


"Aaron Swartz is my hero. He was selfless. He is completely the opposite of me." – Kim Dotcom



































January 26th, 2013




Dotcom’s Mega Launches To Unprecedented Demand
enigmax

The much anticipated rebirth of Megaupload took place in the last few hours with interest living up to expectations. In less than one hour the site picked up 100,000 new registrations, going on to 500,000 and beyond just a few hours later. As the site struggled to cope with demand it became unresponsive in the face of an unprecedented flood of users eager to test out the new file-hosting site. Just a few minutes ago the launch party at Kim Dotcom’s mansion began, with some interesting reveals.

It’s been exactly one year since Megaupload was destroyed by the United States government and exactly one year since Kim Dotcom and his business partners were arrested and thrown in jail by armed police.

For most people these developments would’ve heralded the beginning of a downward spiral, but for this resilient team it only added fuel to the fire.

This weekend, against what appeared to be insurmountable odds, Kim Dotcom, Mathias Ortmann, Finn Batato, Bram van der Kolk and a legal team headed by Ira Rothken and Paul Davison QC launched Mega, the most anticipated file-sharing and storage site in history.

Billed as “The Privacy Company“, the launch certainly went off with a bang. In the site’s first hour online it attracted 100,000 brand new users and just a few hours later signups had reached a quarter of a million and beyond. Demand was such that the site couldn’t cope, with many visitors struggling to gain access to the Internet’s newest cyberlocker.

“Server capacity on maximum load. Should get better when initial frenzy is over. Wow!!!” exclaimed Dotcom on Twitter.

A few minutes ago the New Zealand launch party kicked off and it had all the glitz the world has come to expect from the flamboyant entrepreneur. From a festival-sized stage in front of Kim Dotcom’s Coatville mansion proceedings began with a play to the home crowd via a traditional Māori musical performance. Then Dotcom took the stage.

“Today is the one year anniversary of the raid and destruction of Megaupload. The allegations against us are wrong, we are innocent and we will prevail,” he began.

“This is not about mocking any government or Hollywood. It’s about our right to innovate.”

Dotcom said the launch of Mega would begin a new conversation on Internet freedom.

“The Internet belongs to no man industry or government,” he said.

Dotcom went on to talk a little about the misuse of copyright by profit-motivated corporations aimed at taking control of the Internet and chilling free speech. He said Megaupload had first-hand experience of this type of action, it was taken away without a hearing, its users’ privacy was ruined and free speech was attacked.

“You will be left at the side of the road if you misuse copyright,” he said. “No matter how many politicians you lobby, no matter how many SOPAs, you will not take control of OUR Internet,” he declared.

The new Mega is billed as “The Privacy Company” and Dotcom pushed this aspect heavily in his speech.

“Why do we focus on privacy? According to the UN Charter of Human Rights, privacy is a basic human right. But lately it has become increasingly difficult to communicate privately,” he said.

“By using Mega you say NO to those who want to know everything about you. By using Mega you say NO to governments that want to spy on you. By using Mega you say YES to Internet freedom and your right to privacy,” he said.

Adding to the stats given out earlier, Dotcom said that Mega’s launch had exceeded expectations. The site had 1 million visitors in 14 hours and 500,000 registered users.

“Mega is going to be huge and nothing will stop Mega,” he said.

Then, adding to the performance, a black FBI-labeled helicopter swooped in and officers rappelled down ropes from the roof of the mansion in a reenactment of the raid one year ago. But Dotcom swiftly brought this to an end.

“Stop the madness, lets all be friends,” he said, launching into a performance of his own track “Party Amplifier.”

In a Q&A session, Dotcom spoke of a project Megaupload had been working on. Megamovie was aimed as a Netflix competitor and one which would’ve been integrated with Megakey, but it didn’t get off the ground due to the raids. On Twitter Dotcom teased the MPAA with the screenshot below and “Let’s talk!”

Following questions on the privacy and encryption aspects of the site, Dotcom said that he would be lowering his profile somewhat in the future. It’s not healthy to be constantly in the public eye he said, and with no further questions the press conference ended and the bar was declared open.
http://torrentfreak.com/dotcoms-mega...demand-130120/





BitTorrent Reveals Sync, a New File Synchronization Tool that Could Compete with Dropbox and iCloud
Nick Summers

BitTorrent has announced a new service today called Sync, that uses peer-to-peer technology to synchronize personal files across multiple computers and devices.

The file-sharing client says that although the feature is still in a pre-Alpha stage at the moment, they are allowing a small number of users to test it via an application form on their Labs page.

“We’re hoping that users like you can help us build something sick,” the company said. “If you’re comfortable using early, incomplete software, and if you’re committed to helping us figure out a better way to sync, we want to hear from you.”

Any other details are scarce at the moment, although a screenshot published on BitTorrent’s blog shows a separate window, entitled “SyncApp”, with a few different tabs such as Devices, Folders and Transfers. Also worth noting is the smartphone icon in the top-left hand corner, which points to a future release on mobile devices.

Gigaom reported the news, and was told by the company that Sync will be able to share files between different devices without any cloud caching. BitTorrent was also cited as saying there would be native apps for OSX, Windows and Linux.

It looks like Sync could work for files not only downloaded from the client itself, but also any other folder stored locally on your PC or laptop. That would put it in contention with a whole host of other cloud-based storage services, including Dropbox, Google Drive and iCloud.

Plenty of people use BitTorrent though – albeit for often unscrupulous reasons – so the company does have the advantage of starting with a large pool of potential users.

The announcement of Sync follows the release of Surf, a Chrome extension that allows users to discover and download torrents directly in Google’s Internet browser.

To try and shake its long standing image of being a tool for piracy, last December the company also launched a new marketing campaign, called DoesBitTorrentEqualPiracy.com. On the website it listed 50 ways that the client has helped the Internet build and share useful content.
http://thenextweb.com/2013/01/25/bit...ox-and-icloud/





New Music Survey: P2P Users Buy the Most, No One Wants Disconnection Penalties

Google funds the survey, but majority says search should block pirated content.
Timothy B. Lee

A new survey from the American Assembly, a research center at Columbia University, provides new insights about public opinion on file sharing and copyright enforcement. With support from Google, researchers Joe Karaganis and Lennart Renkema commissioned a public opinion survey to find out how consumers were getting their media and what their attitudes were toward a variety of copyright enforcement strategies.

Among the most significant findings: Americans overwhelmingly oppose the use of disconnection and rate-limiting as penalties for unauthorized file sharing. Also, the survey suggests users of peer-to-peer file-sharing software buy 30 percent more music than those who do not use peer-to-peer software.

The distinction between public and private sharing is central to Americans' thinking about the morality of file sharing. Eight in 10 Americans believe that it's OK to share copyrighted content with family members, and six in 10 extend the same logic to friends. But only a small minority of Americans—between four and 15 percent—say it's reasonable to upload copyrighted content for public consumption, post links to pirated content on Facebook, or sell unauthorized copies of copyrighted materials.

Unsurprisingly, young people tend to be friendlier to copying than older Americans. For example, 76 percent of Americans under 30 say it's reasonable to share content with friends, while only 51 percent of those over 65 think so. Only 13 percent of American Internet users use peer-to-peer file-sharing software overall, but 20 percent of adults under 30 do so.

While the survey was commissioned by Google, not all of the results will be to the Mountain View company's liking. A slight majority—53 percent—of Americans believe that search engines should "be required to block links to pirated music and videos online." Only 42 percent disagreed with that statement.

File sharers buy more music

There is a perennial debate in tech policy circles about whether peer-to-peer file sharing reduces the market for music and other creative content. It's obvious why those who download pirated files from peer-to-peer networks might purchase less content through legitimate channels. But some scholars argue file sharing can make it easier for fans to find new content they like, broadening their tastes and causing them to buy more music in the long run.

The survey provides some limited support for the view that file sharing promotes, rather than hinders, legitimate music purchases. The average American on a peer-to-peer network has a music library of almost 2000 songs. Of these, 760 (38 percent) are reported to be legitimately purchased. In contrast, those who say they are not P2P users (but do collect digital music files) have an average library size of 1300 songs. Of those, 582 (roughly 45 percent) were purchased from legitimate sources. Most of the others were ripped from CDs or copied from friends and family.

So as we might expect, a larger fraction of the music collections of non-P2P users come from legitimate sources. However, in absolute terms P2P users buy more legitimate music than those whose amassed digital music collections without using peer-to-peer software.

Of course, correlation is not causation. It's possible, for example, the most avid music fans are also the most likely to be drawn to peer-to-peer networks. Perhaps without those networks they would have purchased even more music from legitimate services. But at a minimum, it's an important reminder many heavy P2P users are also heavy consumers of music from legitimate channels.

Cultural differences

Karaganis and Renkema commissioned surveys in both the United States and Germany, allowing comparisons to be drawn between the two countries. The survey results were broadly similar between the countries, with a few notable differences. Germans generally express higher support for efforts to enforce copyright. For example, 59 percent of Germans believe that unauthorized downloading of a song or movie should be punishable, while just 52 percent of Americans agree. However, Germans are privacy zealots, with 71 percent opposing Internet monitoring to prevent infringement, two points higher than Americans.

The survey results also suggest Germans have been slower to adopt new technology than Americans. In the United States in 2011, 14 percent of consumers had an eBook reader and 10 percent of consumers had a tablet. In Germany, the corresponding figures were 2 percent and 4 percent. There is also a large disparity in pay television subscriptions.

Physical formats are still king in Germany. An impressive 82 percent of music revenue is attributable to physical formats such as the CD. In contrast, physical formats now account for less than half of recorded music revenue in the United States.

Because Germany has a more extensive system of publicly-funded television content, only 49 percent of Germans subscribe to a pay TV service, compared with 82 percent of Americans. In America 13 percent of consumers (including 29 percent of those under 30) get "most or all" of their music from a streaming service such as Pandora or Spotify. Only 2 percent of Germany consumers (9 percent of those under 30) rely on a streaming music service.
http://arstechnica.com/tech-policy/2...ion-penalties/





5 Absurd Copyright Takedowns That Make The Law Look Outdated
John Paul Titlow

No matter where you stand on copyright issues, it's hard to argue that the current system is working. In few places are the flaws of modern copyright law more apparent than when it comes to Digital Millennium Copyright Act (DMCA) takedown requests.

Sure, plenty of legitimate DMCA are received and honored by sites like YouTube, Rapidshare and Grooveshark all the time. But every now and then we hear about a takedown notice that leaves us scratching our heads: Is that really a copyright violation? If not, why was the content removed? Is the system that easily gamed? Oh, it was a violation? How weird.

Even the legitimate takedowns tend to lead a cat-and-mouse game and may not have a meaningful impact on the piracy they're intended to thwart, research suggests. But either way, some of the headline-grabbing copyright-related content takedowns we've seen raise major questions about the state of copyright law, the DMCA and digital piracy.

Five prominent examples are listed below, but there are undoubtedly others. If you've heard of an outrageous Web content takedown request, let us know in the comments section.

1. Buffy vs. Edward vs. Bogus Takedown Notices

In 2009, Jonathan McIntosh posted a video to YouTube that seemed ripe to go viral. "Buffy vs. Edward: Twightlight Remixed" riffed on two popular vampire-related entertainment franchises by cleverly mashing up scenes from both into one cohesive, six-minute video. Sound like a copyright violation? It's not. In fact, the U.S. Copyright Office cited the remix video as a shining example of fair use.

In October 2012, McIntosh received an email from YouTube explaining that his video had been pulled due to a copyright complaint from Lionsgate Entertainment, which owns the rights to the Twilight movies. McIntosh challenged the takedown on fair use grounds and a frustrating back-and-forth between YouTube, Lionsgate and McIntosh ensued. At one point, McIntosh was even locked out of his YouTube account and forced to take lessons in copyright infringement from Google.

As of today, Buffy vs. Edward is back online. For now.

2. Rumblefish Claims Ownership Of Birdsong

No, "Birdsong" is not the title of a popular song recorded by an artist whose songs are licensed by Rumblefish. It's literally the sound of a bird singing in the background of a video featuring a man making a salad. Using YouTube's Content ID infringement detection system, the company issued a takedown notice to the video's very confused creator.

Rumblefish's CEO owned up to the error and the video remains online, but the whole affair raises major questions about how the copyright enforcement system works.

3. Universal Targets Pro-Megaupload Video Just Because

A few weeks before the now infamous raid that took down Megaupload and its top brass, Kim Dotcom was involved in yet another copyright-related dispute. Shortly after the music video for "Megaupload Song" was uploaded to YouTube, it was taken down due to a copyright complaint from Universal Music Group. This was despite the fact that the song and video were original, non-infringing content. UMG apparently didn't like the fact that a video promoting Megaupload featured on-camera cameos by major label mega-stars like Kanye West, Mary J Blige, P Diddy and Will.i.am.

4. Universal Goes Crazy Over A Prince Song

When Stepahnie Lenz uploaded a short clip of her kids dancing to "Let's Go Crazy" by Prince, the last thing she expected was a copyright takedown notice. Apparently, 26 seconds of low-quality audio was too much for Universal Music Group, which owns the copyright to Prince's catalog. The resulting legal case, Lenz v. Universal, established a precedent stating that copyright owners would need to take the parameters of fair use into consideration before issuing DMCA takedown notices.

5. Minecraft + Gangnam Style = Copyright Violation?

Taking two things beloved by the Internet and mashing them up is often a surefire recipe for a viral video. It's also apparently an open invitation for accusations of copyright infringement. YouTube user CaptainSparklez learned this the hard way after he uploaded "Minecraft Style," a video that parodies the world's most viewed YouTube Video by merging it with the ever-popular Minecraft video game.

After being yanked from YouTube, "Minecraft Style" returned in mid-December, only to be pulled again. The jury is still out on whether this video falls under the fair use exception to copyright law. Either way, it's hard to imagine a clever mash-up parody video eating into the massive success wrought by PSY since his bizarrely catchy song went viral.
http://readwrite.com/2013/01/22/5-ab...-look-outdated





A Revamped Myspace Site Faces a Problem With Rights
Ben Sisario

Last week, Justin Timberlake’s new song, “Suit & Tie,” did double promotional duty. Not only was it a teaser for Mr. Timberlake’s latest album, but it also served as an introduction for a revamped version of Myspace, the once-mighty social network and music site.

Mr. Timberlake is a minority partner in the investor group that bought Myspace for $35 million in 2011, six years after News Corporation paid $580 million for it with hopes of dominating the social Web. Before long it was eclipsed by Facebook and fell into the dustbin of the Internet.

The new Myspace, which like the old MySpace lets people listen to huge numbers of songs free, has won early praise for its sleek design. But while it has said its intention is to help artists, it may already have a problem with some of the independent record labels that supply much of its content.

Although Myspace boasts the biggest library in digital music — more than 50 million songs, it says — a group representing thousands of small labels says the service is using its members’ music without permission.

The group, Merlin, negotiates digital deals on behalf of labels around the world. Charles Caldas, chief executive of Merlin, said in an interview on Friday that its deal with Myspace expired over a year ago, yet songs from more than 100 of its labels are still available on Myspace, including Beggars Group, Domino and Merge, three of the biggest independents.

“While it’s nice that Mr. Timberlake is launching his service on this platform, and acting as an advocate for the platform,” Mr. Caldas said, “on the other hand his peers as artists are being exploited without permission and not getting remuneration for it.”

Neda Azarfar, a spokeswoman for Myspace, said the company had decided not to renew its contract with Merlin, and that if songs from its member labels were still on the site, “they were likely uploaded by users” and would be removed if requested by the label.

In December, Myspace.com had 27.4 million unique visitors in the United States, according to comScore. That is far from its peak of 76 million in 2008, but for a music industry still struggling for all the business it can get, it is an audience that cannot be ignored.

The industry as a whole is largely supportive of Myspace, which is now seen as an underdog facing long odds. For small labels, though, the licensing situation has brought back memories of the introduction of MySpace’s first music service, MySpace Music, in 2008, when deals were cut with the major labels but most independents were left out for more than a year.

“The feeling is not good,” said William Crowley, the vice president for digital and mobile at eOne Distribution, an independent music distributor that is associated with Merlin.

“Unlicensed services are a source of grave concern,” he added, “especially high-profile ones.”
https://www.nytimes.com/2013/01/21/b...ermission.html





Victims of Revenge Porn Mount Class Action Suit Against GoDaddy and Texxxan.com

“Those of us on there go to the grocery store and everybody recognizes you."
Jessica Roy

“I don’t think that society really realizes how rampant it is,” Sarah, a victim of revenge porn, told Betabeat in a feature we wrote last month about the effort to put a stop to sites that take intimate photos of women and publish them without their permission. “And right now,” she added, “there’s not a lot that victims can do about it.”

Last week, however, several women–some affiliated with Sarah’s organization, End Revenge Porn–joined a class action lawsuit with the hopes of taking down a prominent revenge porn website.

Hollie Toups, a 32-year-old resident of Beaumont, Texas, has publicly come forward to discuss her painful experience with revenge porn in an effort to encourage other victims to do the same. Ms. Toups is now one of at least 23 women who have signed on to a class action lawsuit that seeks to prosecute the owners of Texxxan.com and its hosting company GoDaddy for invasion of privacy and mental anguish. Texxxan.com hosts intimate photos of women living in Texas that have been submitted without their consent.

“I live in an extremely small town and the website was flooded with people that I knew,” Ms. Toups said. “Those of us on there go to the grocery store and everybody recognizes you. Not everybody says something, but you get a lot of like, ‘Hey, do I know you?’ or, ‘I recognize you from somewhere.’ But then you also get people that will just come out and say it.”

Like many victims of revenge porn sites, Ms. Toups told Betabeat that some of her photos appear to have been uploaded by an ex-boyfriend, while others she says she never sent to anyone and may have been lifted from her phone or computer. The photos had been uploaded along with a link to her Facebook profile and real name, so she received harassing messages for weeks after her photos surfaced on the site.

“GoDaddy is profiting off of it,” said John S. Morgan, Ms. Toups’ lawyer. “The reality of it is at some level this issue of revenge porn has to become a public discussion and a legislative discussion and it raises issues of corporate responsibility. Why would an organization like GoDaddy want to give its name to this type of website?” (We assume Mr. Morgan hasn’t seen GoDaddy’s ads.) GoDaddy told us, “We don’t comment on pending litigation.”

Considering the numerous repercussions that keep many victims silent, Ms. Toups’ decision to join the lawsuit under her real name is brave. Many revenge porn victims–including Sarah–are forced to remain anonymous or else face the wrath of vengeful exes who find renewed motivation to post their pictures on porn websites. Because of the intimate nature of the photos, many women are also embarrassed to publicly admit that they were victims, and others are afraid of cyberbullying from the passionate fandoms revenge porn proprietors attract.

Ms. Toups said she was “in a straight panic” for days after discovering the photos, and emailed the site’s owner to try to get them taken down. “They replied and said they would be happy to remove the pictures for me if I would enter my credit card information,” she said. “I went from being depressed and embarrassed to being really pissed off.”

Texxxan.com isn’t the only website allegedly engaging in this sort of blackmail enterprise. Other revenge porn sites also benefit both from posting photos and removing them. Is Anybody Down, a copycat site of Hunter Moore’s infamous Is Anyone Up, has a relationship with a third-party website called Takedown Hammer that will scrub your photos from Is Anybody Down, but only for a fee.

Is Anybody Down features ads for Takedown Hammer across its site, and a link called “Get Me Off This Site!” takes you to a post about Takedown Hammer’s success in removing its clients’ photos from Is Anybody Down. Takedown Hammer claims to be operated by a New York-based lawyer named David Blade, III, but no such name appears in the New York State Unified Court System’s attorney database.

Nevada-based lawyer Marc Randazza, who is representing Bullyville founder James McGibley in a defamation suit against the revenge porn proprietor Hunter Moore, has conversed extensively with the profiteers of Is Anybody Down. After studying the IP addresses associated with the computers of Is Anybody Down’s owner Craig Brittain and the owner of Takedown Hammer, he told Betabeat that the two sites are definitely both run by the same person.

“I have clear and convincing evidence that the exact same IP address is being used by both emails from the Takedown Hammer and Is Anybody Up,” Mr. Randazza said.

Ms. Toups is unfortunately well-acquainted with this new form of digital extortion, but initially struggled to find a lawyer willing to represent her. Many revenge porn victims want to sue, but only anonymously, which makes it much more difficult to launch a successful class action suit.

After several lawyers turned her down, Ms. Toups found John S. Morgan, an attorney in Southeast Texas. With the help of Mr. Morgan and Sarah, Ms. Toups reached out to victims in her area to see if they would be interested in joining the suit. The class action suit petition was filed in Orange County, Texas on Friday.

“To anyone affected by this, I stress to you, you are not alone! It’s not your fault, and you did nothing wrong!” Ms. Toups wrote in a statement representing the women involved in the suit. “You don’t have to face this alone anymore.I know the emotions you’re feeling and what you’ve been going through, and don’t have to feel ashamed! Hold your head high.”

“I think 99 percent of victims get told no [by lawyers] so they give up,” Ms. Toups said by phone. “I apparently was born with a hardheaded trait that came in handy for once, and I refused to accept the fact that there was nothing that could be done.”

Many proprietors of revenge porn websites claim they are protected under Section 230 of the Communications Decency Act, which states that websites are not liable for content submitted by users. Mr. Morgan argues that because these sites knowingly post photos without the subject’s consent, and advertise their sites as such, they aren’t protected by this law. He also noted that because Texxxan.com only posts the photos of women living in Texas, he is pursuing the case under state law instead of federal law.

Mr. Morgan also intends to sue all those who signed up for a subscription on Texxxan.com, paying a monthly fee to get access to more personal information of the women in the photos. After news of the suit broke, Texxxan.com became viewable only to its members.

As for Ms. Toups, who’s studying criminal justice and currently works for the state as a mentor for kids, she’s decided to turn her experience into a vehicle for her to positively impact the lives of other victims.

“Hollie reached out to me to see how she could help with the cause,” Sarah told Betabeat. “I’m working closely with her and the woman behind Women Against Revenge Porn to reach out to victims, letting them know about our petition and our sites.” (Sarah said that any lawyers interested in helping victims can submit their contact info via the Legal Contacts page on End Revenge Porn.)

“I’ve been trying to figure out why this happened,” Ms. Toups said. “Maybe it happened to me so I could help someone. Several of the girls that I’ve been in contact with have been suicidal and I feel like if I had reached them sooner they would not even have attempted that. I’m one of the older ones–most of them are younger–so I felt somebody has to start it. And I knew that once I did even the ones who were scared would end up coming out.”

Ms. Toups said that since going public on a local Texas TV station on Thursday night, other girls have contacted Mr. Morgan hoping to join the suit.

Despite mounting pressure from revenge porn victims, hackers and lawmakers, the web’s most notorious revenge porn entrepreneur, Hunter Moore, is still at it. Last Friday, Mr. Moore tweeted that his TV show had been picked up, though declined to say for which network.
http://betabeat.com/2013/01/victims-...d-texxxan-com/





IMAGiNE BitTorrent Group Sysop Speaks Out as He Heads to Prison
Ernesto

A convicted member of the now-defunct online movie piracy group IMAGiNE has left a public statement before starting his 40-month prison term. Last Friday 53-year-old sysop Gregory Cherwonik of New York was transferred to a detention facility to serve his sentence. In his first public words on the case he criticizes the MPAA and the U.S. Department of Justice, among others.

In 2011 the notorious IMAGiNE movie piracy group was dismantled by the feds. The group was known for releasing large numbers of movies onto the Internet, many of them still playing in theaters.

This attracted the attention of the MPAA who launched an investigation which eventually led to the arrests of four U.S. residents.

These IMAGiNE members were charged with several counts of criminal copyright infringement and they eventually received prison sentences ranging from 23 months in prison up to five years.

Among the sentenced is 53-year-old IMAGiNE sysop Gregory Cherwonik, mentor of a robotics team from Canandaigua. According to his sentencing papers Cherwonik was transferred to prison last Friday, but not before speaking out on the case for the first time.
TorrentFreak received a series of documents from an email address that appears to belong to the 53-year-old IMAGiNE member. While our requests for clarification remained unanswered, we have good faith belief that they are indeed Cherwonik’s writing.

The full documents are available here and appear to have been written at different times, both before and after his sentencing early January. Below we’ll go over some of the statements the sysop makes.

“Well if you’re reading this, I guess I must be in Jail,” one note starts.

“Spunky here … most of you know me by my real name Greg Cherwonik, thank you DOJ for splattering that on the internet. I’ve got a few parting comments to make before I slip into the shadows of prison life.”

Cherwonik goes on to explain that he never made any money from his work at IMAGiNE or their UnleashThe.net BitTorrent tracker.

“Serving time for copyright infringement, a victimless crime that I never made a single dollar off of. In fact over the years I bet I paid a thousand or so in site donations and server costs, not even including the time I spent doing code work for a dozen or so places,” he writes.

The IMAGiNE sysop further mentions that in his opinion the case should have been a civil one, and he doesn’t see why copyright infringement is a federal offense.

“Pirating a federal offense? It’s beyond me how this has happened. Federal offenses were always the most serious of crimes. You tell me how copying a little audio or video has fallen into this category.”

He goes on to blame copyright groups for influencing legislation in their favor.

“I guess if you pay off enough politicians and ‘give’ so many millions to [the] right law enforcement agencies you can get anything you want. Throw in a couple high paid lawyers to twist the words of the Patriot Act around, and viola …. PIRATING is a Federal Offense.”

Consequently, the maximum penalty of 5-years prison is too harsh according to Cherwonik.

“It’s bad enough they call you a terrorist in front of your kids (I think it’s their way of justifying it), but then there’s the 5 year MAX for the first offense. WTF is that, you’re telling me a person with no previous criminal convictions can get up to 5 years for releasing a movie.”

Concluding one of his notes the sysop says that his involvement in IMAGiNE and UnleashThe.net was not worth the time he has to spend in prison now. He learned a lot from the experience, but perhaps lost even more as it is unlikely that he can continue his mentor work when he’s released.

“As for my incarceration. Was it worth it? NO.”

“Nothing is worth losing your freedom, would I do it again … hmmm I don’t know. I learned so much from it. Without it I wouldn’t have learned HTML and PHP. Both of which I use on the website I made for the Robotics teams I used to Mentor. They probably won’t want a felon to Mentor the kids.”

“Too bad, I really enjoyed working with them.”
http://torrentfreak.com/imagine-bitt...prison-130121/





Cable Industry Admits That Data Caps Have Nothing To Do With Congestion
Chris Morran

A month after one study called shenanigans on the cable industry’s repeated assertion that data caps and usage-based pricing are intended to relieve congestion, the president of the National Cable and Telecommunications Association has admitted as much.

NCTA president, and former FCC chair, Michael Powell recently told a Minority Media and Telecommunications Association audience that usage-based pricing isn’t about congestion, but “how to fairly monetize a high fixed cost.”

He said that charging more to customers who use the Internet the most “is a completely rational and acceptable process to figure out how to fairly allocate those costs among your consumers who are choosing the service and will pay you to recover those costs.”

Time Warner Cable recently announced its intentions to make its Essentials broadband service, which provides a $5 discount to customers who agree to stay below 5GB/month in data usage, available nationwide. We’ve voiced our concerns about the program (which really only offers about $1/month in savings when you factor in that you currently must rent a modem from TWC) because a $5 discount for customers who can only use 1/50 of the broadband of regular customers doesn’t seem to add up.

“If usage caps were about ‘fairness,’ carriers would offer the nation’s grandmothers a $5-$15 a month tier that accurately reflected her twice weekly, several megabyte browsing of the Weather Channel website,” writes DSLreports.com’s Karl Bode. “Instead, what we most often see are low caps and high overages layered on top of already high existing flat rate pricing, raising rates for all users. Does raising rates on a product that already sees 90% profit margins sound like ‘fairness’ to you?”

As for Powell’s assertion that there is such a high fixed cost involved in setting up broadband networks, the December report from the New America Foundation claims that the overall cost of providing Internet service has decreased over the last five years, at the same time as user numbers have grown and the use of broadband-heavy applications like streaming video have become commonplace.

“Despite the substantial decrease in the cost of operating a network and transporting data, consumers have not seen a resulting decline in the cost of service,” wrote the NAF, “nor have many providers increased the usage caps to reflect the decline in costs for Internet connectivity.”
http://consumerist.com/2013/01/18/ca...th-congestion/





Mixed Response to Comcast in Expanding Net Access
Amy Chozick

At the cramped downtown office of the Community and Economic Development Association of Cook County, a line of older residents waited to apply for a federal program that helps pay for heat and other utilities. On the walls, next to posters advertising Head Start and other public services, hung posters for something called Internet Essentials.

“Is the Internet on your back to school list?” read one leaflet being handed out along with information about the Women, Infants and Children program, a Health Department initiative that offers nutritional and breast-feeding support to low-income families.

Internet Essentials is not a government program, although that would be difficult to tell from the poster. Instead, it is a two-year-old program run by Comcast, the country’s largest Internet and cable provider, meant to bring affordable broadband to low-income homes.

Any family that qualifies for the National School Lunch Program is eligible for Internet service at home for $9.95 a month. The families also receive a voucher from Comcast to buy a computer for as little as $150.

The program is not charity: Comcast started Internet Essentials in order to satisfy a regulatory requirement to provide Internet access to the poor, which also happens to be one of the few remaining areas for growth for cable companies across the country. More than 100,000 households in Atlanta, Philadelphia, Boston, Seattle, San Francisco and other major markets have signed up for Internet Essentials.

But as the program gains popularity, the company has come under criticism, accused of overreaching in its interactions with local communities — handing out brochures with the company logo during parent-teacher nights at public schools, for instance, or enlisting teachers and pastors to spread the word to students and congregations.

“A company like Comcast doesn’t do it out of the goodness of their heart,” said Joe Karaganis, vice president of the American Assembly, a nonprofit public affairs forum affiliated with Columbia University.

The Obama administration has been pushing private-public partnerships as a way to make high-speed home Internet access available to the 100 million Americans who lack it.

The digital divide has traditionally been regarded as one between urban and rural areas of the United States. But only about 7 percent of households without broadband are in rural areas without the necessary infrastructure; the bulk of the rest are low-income families who cannot afford the monthly bill, or do not feel it is a necessity, according to government statistics.

“The broadband divide is a real threat to the American dream,” Julius Genachowski, chairman of the Federal Communications Commission, said in an interview. “The costs of digital exclusion are getting higher and higher.”

Comcast set up shop in Chicago in May 2011, a few months after its $13.75 billion takeover of NBC Universal. As part of its approval for the deal, the F.C.C. required the company to devise a plan to make broadband available to the poor. Comcast reluctantly agreed, according to a person involved in the merger who could not speak publicly about private conversations. A Comcast spokesman said the company had volunteered the plan. Broadband subscriptions represent the main driver of Comcast’s $55.8 billion in annual revenue. The company and its competitors have largely reached saturation among households that can afford high-speed Internet. That leaves the poor as one of the industry’s main areas of growth.

“In the long, long run, yes, I hope we’re creating future Comcast customers,” said David L. Cohen, executive vice president of the Comcast Corporation. He added: “There’s no bait and switch here. This is a community investment.”

Before he became Comcast’s chief lobbyist and the overseer of Internet Essentials, Mr. Cohen was a prominent Democratic political consultant and aide to Edward G. Rendell, a former Pennsylvania governor.

He regularly consults with local political leaders, including his friend Rahm Emanuel, the mayor of Chicago, who has assisted Mr. Cohen in making the city an important market for Internet Essentials. Comcast has made donations to Mr. Emanuel’s campaigns in the past. The company spent $12.4 million on lobbying last year and contributed $4.8 million to mostly Democratic candidates.

On Saturday, the United States Conference of Mayors gave Comcast and Mr. Emanuel an award for the Internet Essentials collaboration.

Rather than sell Internet Essentials in its normal bundle, Comcast has established a separate sales team that works directly with community leaders. The company has enlisted hundreds of Internet Essentials volunteers who spread the word about the program.
One of those volunteers is Gale Woods, who, after a long shift at Walmart, used to walk her son, Austin, more than a mile to the public library so he could get access to a computer to do his homework.

The situation was not ideal, but Ms. Woods could not afford a computer, much less the monthly Internet fee. Then she heard Mayor Emanuel talking about Internet Essentials during a news conference for $10 a month, less than one-fourth what the service typically costs.

“I thought, wow, that’s a deal,” Ms. Woods, 47, said in the living room of her apartment on the city’s South Side. “It’s usually at least $40 just for the basics.”

After using the service for over a year, Ms. Woods serves as a volunteer. She tells neighbors in her Bronzeville apartment complex how to sign up and drops off brochures at the library.

As she talked about the benefits of having the Internet at home, including sending out résumés and taking classes at Northeastern Illinois University, 10-year-old Austin gently interrupted his mother. “It’s pretty slow, Mom, I have to load it three times,” he said. (Internet Essentials provides broadband with speeds of 3 megabits per second, compared with the 12 megabits per second that many higher-priced packages provide.)

At Morton High School in Cicero, a heavily Hispanic suburb of Chicago, teenagers wearing uniforms of khaki pants and white-collared shirts flooded the hallways. Near an honor roll poster and a mural of the ancient Aztecs, Michael Kuzniewski, superintendent of J. Sterling Morton High School District (known among students as “Dr. K”) said nearly 90 percent of the school’s 3,600 students qualified for the federal lunch program, making it a prime target for Internet Essentials.

Comcast sets up kiosks at open houses, handing out Internet Essentials brochures to parents. Teachers and counselors send students home with brochures. Dr. Kuzniewski said private companies approach them almost daily on ideas “to save public education,” helping him develop a healthy sense of skepticism. But when he realized how deeply a lack of broadband access put Cicero’s students at a disadvantage, any doubts he had about Internet Essentials were erased.

“We just saw them falling further and further behind,” he said.

But many advocacy groups argue that broadband has become so crucial to success in school and the work force that it should be treated like a public utility paid in part by government subsidies.

Broadband service is “a natural monopoly” controlled by a handful of private companies, said Mr. Karaganis, of the American Assembly, adding that Internet Essentials gave Comcast access to people in community settings where it could use the lure of low prices to tap into a new consumer base.

Comcast said an intimate grass-roots approach was necessary to explain to low-income customers why they need the Internet and that the monthly price cannot increase for at least three years. Skepticism about the Web often tops affordability as an obstacle to getting broadband into poor and immigrant households, the company said. “When a child comes home with information about the school lunch program, we want an Internet Essentials brochure in that packet,” said Cathy Avgiris, executive vice president and general manager of Comcast Cable’s communications and data services.

Marsha Belcher, director of marketing and resource development at the Community and Economic Development Association of Cook County, said that her office’s relationship with Comcast was “a matter of trust.” She added, “All of our staffers have worked with Comcast volunteers. If they want to sign up for triple play, they can, but we trust Comcast when they say they won’t be pitched” costly packages of phone, cable and Internet services.

In September the F.C.C. helped set up Connect2Compete, an independent nonprofit group that compiles pledges from Internet and software companies to get computers and Internet access to the underserved. Connect2Compete serves as a middleman between communities and companies. Comcast’s major competitors, including Cox Communications, Time Warner Cable, Bright House Networks and others, have signed on to offer discounted broadband to low-income customers through Connect2Compete.

That setup is intended to create a buffer between corporations and communities to avoid the kind of murky territory that private-public partnerships like Internet Essentials must navigate, said Zach Leverenz, chief executive at Connect2Compete.

“It’s important to have a trusted intermediary,” he said.
https://www.nytimes.com/2013/01/21/b...ome-homes.html





Schwarzenegger's Comeback Flops, Del Toro's 'Mama' is a Hit
Ben Fritz

Arnold said he'd be back. It turns out moviegoers don't want him back.

Former California Gov. Schwarzenegger's return to the big screen this past weekend was a bomb, as "The Last Stand" grossed an estimated $7.2 million from Friday through Monday. That's his lowest box office debut since 1986's "Raw Deal." Accounting for ticket price inflation, it was likely the 65-year-old's worst opening ever.

It was a bad weekend for A-list men in general, as the Mark Wahlberg-Russell Crowe political thriller "Broken City" opened to a not-much-better $9.5 million.

The overwhelming hit of the holiday was the low-budget horror movie "Mama," which stars Jessica Chastain and opened to a surprisingly strong $33 million.

It was also a good weekend for movies that won Golden Globe awards last weekend. Ticket sales for best dramatic picture winner "Argo" surged 80% on a three-day basis, while grosses for best comedy/musical "Les Miserables" were down only 22%.

Playing nationwide for the first time, "Silver Linings Playbook," whose star Jennifer Lawrence also won a Globe, took in a solid $13 million over the four-day weekend. After nine weeks in limited release, the total domestic gross for the comedic drama that also stars Bradley Cooper is $57 million, an impressive figure for an inexpensive and occasionally dark movie.

In particularly good news for the Weinstein Co., grosses at theaters that played "Silver Linings" last weekend declined only 11%, a sign that word-of-mouth is strong. The studio's president of distribution Erik Lomis said that with a roughly even male-female split, the movie seems to be drawing a large date-night audience.

Award winners "Lincoln" and "Django Unchained" also continued their remarkable runs, with box office receipts down only 14% and 30%, respectively. The total gross for "Lincoln" is now $161.9 million; "Django" is up to $131.8 million.

Lionsgate's bet that Schwarzenegger was ready for a comeback after a decade in politics proved a miscalculation, as the approximately $45 million production posted the worst opening for any movie over the Martin Luther King Day holiday weekend since 2007.

The audience for the over-the-top action picture was mostly male and over 25, meaning they were likely fans of the star's prior work.

As with all of its productions, Lionsgate pre-sold the movie in international markets, in this case collecting about $25 million from distributors who believe prospects for "The Last Stand" might be better overseas.

Universal Pictures spent about $15 million producing "Mama," which means the film is a hit out of the gate. Its success was attributed in part to producer Guillermo Del Toro's prominent role in marketing, which helped to bring a large Latino audience into theaters. The movie overperformed in markets with significant Latino populations: "It was huge in Texas," noted Universal domestic distribution president Nikki Rocco.

The executive also attributed the movie's success to its PG-13 rating, which helped it serve as counter-programming against the large number of R-rated movies, including this weekend's other two new pictures and many of the Golden Globe winners.

An estimated 63% of audiences for "Mama" were under 25, and 35% were under 17.

Independent company Emmett/Furla films financed "Broken City" for about $35 million, with marketing support from New Regency Productions. The drama's box office chances were likely hurt by poor reviews, which made the well-regarded awards movies still in the market more appealing.

All three new films were liked, if not loved, by audiences. "Broken City" and "The Last Stand" garnered an average grade of B, according to market research firm CinemaScore, while "Mama" got a B-.

Total ticket sales were up just 1% for the four-day weekend from one year ago at $165 million, according to Hollywood.com.
http://www.courant.com/entertainment...,6249182.story





Inside Netflix's Project Griffin: The Forgotten History Of Roku Under Reed Hastings
Austin Carr

They codenamed the top-secret project "Griffin," after Tim Robbins' character from the film "The Player." After all, that's what the team was building: The Netflix Player, a black and boxy device, as plain and compact as a necklace case, which subscribers would hook up to their televisions to stream movies and TV shows from the web. Netflix executives knew it could fundamentally change how the company delivered content to its customers, who were used to waiting days for DVDs to arrive by mail. Soon, Netflix could leverage the digital content deals it was striking with studios to dominate the living room, a war still waging today between industry giants like Apple, Google, and Microsoft.

It was December 2007, and the device was just weeks away from launching. Yet after all the years and resources and talent invested in the project (a team of roughly 20 had been working on it around the clock, from ironing out the industrial design and user interface to taking trips to Foxconn to finalize production details), Netflix CEO Reed Hastings was having serious second thoughts. The problem? Hastings realized that if Netflix shipped its own hardware, it would complicate potential partnerships with other hardware makers. "Reed said to me one day, 'I want to be able to call Steve Jobs and talk to him about putting Netflix on Apple TV,'" recalls one high-level source. "'But if I'm making my own hardware, Steve's not going to take my call.'"

To the surprise of most employees at the company, Hastings decided to kill The Netflix Player, and spin the team out as a separate company. His decision, made almost exactly five years ago this month, was one of the riskiest moves in Netflix's history. But it also proved to be one of Hastings' most prescient. By shelving its hardware and remaining an agnostic platform, Netflix was able to transform itself into a digital powerhouse and become the dominant player in subscription streaming video. Its service is now ubiquitous, accessible on computers, smartphones, tablets, Internet-connected TVs, Blu-ray players, set-top boxes, and video game consoles. Last quarter, its 29 million streaming members consumed more than 3 billion hours of TV shows and movies, making Netflix the biggest cable TV network in the U.S., according to one analyst. But the story behind Hastings' decision, which is more clearly justified in hindsight, shows his unique grasp of the industry and willingness to buck the system.

To understand how radical of departure this was internally, says Roku CEO Anthony Wood, who was then leading project Griffin, "You have to understand the dynamic inside the company." For years, engineers had been developing the technology behind product, such as video buffering and compression tools, which would allow Internet bandwidth to keep up with streaming media. Hastings had been toying with the idea since before streaming was common and YouTube was a household name--back when Netflix even considered building a DVD player that housed a hard drive, where movies could be downloaded and temporarily stored.

The Netflix Player had gone through the typical development stages, which are traditionally referred to as EVT, DVT, and PVT--that is, engineer, design, and product validation testing. During this process, the team refined everything from the software and user interface to the device's thermal requirements and supply chain. (Working with Frog Design on the form factor, the group imagined at one point dying the device red to look like a Netflix envelope.) The hardware had gone through endless rounds of product reviews in front of Hastings in the Netflix amphitheater. Internal beta testing had been done; marketing materials had been printed; prices had been set; and advertisements were being shot.

"We built our own streaming player and hardware, which was a bold step for an Internet company. And the whole time, we had been showing demos at company meetings," Wood recalls. "Everyone was really excited. Everyone really wanted to ship the Netflix player."

The company was so amped that a set of employees even produced a parody video of the project for a quarterly business review in October 2007. During the all-hands meeting, the entire company saw its future on the big screen, in a video detailing "The Griffin Initiative." A spoof on the Dharma Initiative from the TV show Lost, which was wildly popular at the time, the video poked fun at the company's production process. "Product managers...used highly evolved scientific processes," says the narrator, as Netflix employees in lab coats throw darts at a wall and play Pong. The video also features a trip to a Foxconn supplier outside Shanghai--one of the first times video was shot inside a Foxconn manufacturing facility, a source tells me. There, the video walks through the manufacturing process, from the Netflix Player's robotically mounted parts to its hand-placed components.

"Since their arrival, the team has been closely watching the productivity techniques," the narrator says, as a video pans across a number of Foxconn workers sleeping on the production line. The joke here? When a production line is being set up, there's often a lot of downtime for workers, who nap to kill time. The narrator facetiously says that the team is now bringing Foxconn's "best practices" back to Netflix's headquarters, as the video shows Wood teaching Hastings how to most effectively sleep at his desk.

The video was a huge hit at the company, and a sign of the enthusiasm behind the Netflix Player as its launch neared. But by mid-December, Hastings, who the entire company had just seen at the all-hands meeting endorsing the device, was starting to sing a different tune.

Original Roku

"We were getting so close to shipping the hardware, and Reed decides, 'I changed my mind--I don't want to do hardware anymore. If we ship our own hardware, it could be viewed as competitive,'" Wood recalls. "Putting all that money into it; getting it as far along as he did; and then deciding we're not going to do it? Wow. I was surprised. There was so much momentum inside the company."

According to the high-level source, Hastings met with his senior management staff and "hashed it out very quickly," deciding immediately to spin out the Netflix Player to Roku. "Reed sent a note to the VP group saying, 'Here's the decision we made,'" recalls Steve Swasey, then the company's VP of communications. "I remember exactly where I was standing when I read that note. My jaw dropped. We literally had people in studios that day shooting advertising, and everything just stopped. It just stopped. I was saying, 'We're so close! Why don't we launch it?'"

The reason why was a simple answer for Hastings. In order to succeed in streaming video, Netflix couldn't do hardware. It would conflict with partnerships with other device makers. "We could not be competing against Sony, LG, and Samsung," Swasey says.

"Imagine you drive a Chevy, and the gas station is branded Ford," says the top-level source. "Would you feel comfortable filling up your tank there? I think that's why Reed didn't think this could be done inside Netflix."

Just days later, Hastings announced the decision to the rest of the company. "There was a fair amount of shock--it was a kick in the guts," the top-level source recalls.

But ultimately, Wood says, "It was totally the right decision. Licensing [digital content] has been hugely successful for Netflix. [The Netflix Player] would've created tension with partners, and increasingly decisions would come up where Netflix would have to decide, 'Should we make decisions based on what's best for licensing, or what's best for our own hardware?'"

Regardless of how the decision played out, at the time, it was a gigantic risk, and one that Hastings alone decided to take. It was one of the most innovative moments not only in Netflix's history but Reed's tenure as CEO. "Reed, in general, is a consensus builder," the top-level source says. "He finds different people in key positions and picks their brains to build his own worldview. This was not one of those times. This was a time when Reed, largely independently, realized there was a better strategic play. And despite knowing there was a hell of a lot of investment across the company in making the Netflix Player successful, he was going to make [this better strategic play] happen."

Says Swasey, "At the end of the day, there is one decision maker."

Adds the high-level source, "I've talked to a number of people about his decision, and they said that in the ten years at the company before, Reed had done that maybe one or two other times. And he's always been right when he's done it."
http://www.fastcompany.com/3004709/i...-reed-hastings





iPad Owners to Pay Swedish TV Licence Fee

A move by Sveriges Television (SVT) to offer all of its content online means that Swedes who watch digitally streamed content on computer and tablet devices such as the iPad will have to start paying television licence fees.

On Tuesday, SVT CEO Eva Hamilton used an opinion article published in the Dagens Nyheter (DN) newspaper to announce the state broadcaster would soon offer its entire broadcast line-up free of charge online.

While the change will allow viewers to browse through SVT's entire repertoire on tablet computers as well as smartphones, it also means that people who exclusively consume programmes and news via the internet will be covered by Sweden's TV licence fee.

Currently, anyone with a television receiver is required by law to pay the 2,076 kronor ($320) annual fee, which is collected and enforced by Radiotjänst, a division of Swedish public service broadcasting.

A representative from the agency confirmed with technology magazine Computer Sweden that SVT's move would mean the agency would start collecting the fee from people who didn't own a television, but did own a computer or tablet device.

SVT's Hamilton, however, downplayed the impact of SVT's move on fee collection policies.

"There has been a law in place since 2006 that states that a person who can access an entire TV channel on any device is required to pay the fee," Hamilton said.

"When (private broadcaster) TV4 put all their channels on the web last autumn that law came into effect."

Radiotjänst collects some 7 billion kronor per annum which is used to part-finance Sveriges Television, Sveriges Radio and Utbildningsradio (UR).

The TV licence system does not take into account when, if or how viewers use any of the channels or services which are funded by it.

Despite the move, the actual effect of the new licencing system will be negligible, as nine out of ten Swedish households already pay the fee. An estimated 97 percent of Swedes watch television.

On its website, Radiotjänsten includes most types of technology that can receive content, although it does not mention mobile phones with an internet connection.

While iPads will be covered by the new fee, smartphones will likely be exempt.

"The spectrum of mobile phones is so broad and we don't see their primary use as being watching a single TV channel," Radiotjänsten spokesman Johan Gernandt told Computer Sweden.

Given the technological developments, Hamilton suggested that the state broadcaster merge with the educational channel Utbildningsradion (UR).

"With the technical demands we are facing on publishing on new platforms, it isn't feasible to invest in developments in two separate organisations with such similar production," she wrote.

Pooling resources, she argued, could also mean investment was diverted into higher quality programming.
http://www.thelocal.se/45750/20130122/





Steve Jobs Threatened Patent Suit to Enforce No-Hire Policy: Filing
Dan Levine

Apple co-founder Steve Jobs threatened to file a patent lawsuit against Palm if that company's chief executive didn't agree to refrain from poaching Apple employees, according to a court filing made public on Tuesday.

The communication from Jobs surfaced in a civil lawsuit brought by five tech workers against Apple Inc, Google Inc, Intel Corp and others, alleging an illegal conspiracy to eliminate competition for each other's employees and drive down wages.

The defendant tech companies have attempted to keep a range of documents secret. However, U.S. District Judge Lucy Koh in San Jose, California rejected parts of that request, which led to details of Jobs' 2007 communications with then-Palm chief executive Edward Colligan becoming part of the public record.

Jobs proposed eliminating competition between the two companies for talent, according to a sworn statement from Colligan cited by the plaintiffs.

"Mr. Jobs also suggested that if Palm did not agree to such an arrangement, Palm could face lawsuits alleging infringement of Apple's many patents," Colligan said in the statement.

An Apple representative could not immediately be reached for comment on Tuesday. A spokesman for Hewlett-Packard Co, which acquired Palm, also could not be reached.

Colligan told Jobs that the plan was "likely illegal," and that Palm was not "intimidated" by the threat.

"If you choose the litigation route, we can respond with our own claims based on patent assets, but I don't think litigation is the answer," he said.

In 2010, Google, Apple, Adobe Systems Inc, Intel, Intuit Inc and Walt Disney Co's Pixar unit agreed to a settlement of a U.S. Justice Department probe that bars them from agreeing to refrain from poaching each other's employees.

The Justice Department and California state antitrust regulators then sued eBay Inc late last year over an alleged no-poaching deal with Intuit.

In a separate court filing on Tuesday, eBay asked a U.S. judge to dismiss the government's lawsuits, saying the company had done nothing wrong.

Antitrust law "does not exist to micromanage the interaction between the officers and directors of a public company," eBay said in its filing. A Justice Department spokesman could not immediately be reached.

Koh is currently mulling whether the civil lawsuit can proceed as a class action, which would give the plaintiffs more leverage to extract a large settlement. Plaintiff attorneys have estimated that damages potentially could run into hundreds of millions of dollars.

At court hearing last week, Koh cited emails between top executives as key evidence for plaintiffs, though the judge also said plaintiffs' economic analysis had "holes."

The Tuesday court filings detail how Google developed its no-hire agreements. When Google's human resources director asked then-chief executive Eric Schmidt about sharing its no-cold call agreements with competitors, Schmidt - now the company's executive chairman - advised discretion.

"Schmidt responded that he preferred it be shared 'verbally, since I don't want to create a paper trail over which we can be sued later?'" he said, according to the court filing. The HR director agreed.

In an email on Tuesday, Google spokeswoman Niki Fenwick said Google has "always actively and aggressively recruited top talent."

Schmidt is scheduled to be questioned by plaintiff lawyers next month.

The civil case in U.S. District Court, Northern District of California is In Re: High-Tech Employee Antitrust Litigation, 11-cv-2509.

(Reporting By Dan Levine; Editing by Daniel Magnowski)
http://www.reuters.com/article/2013/...90M04Y20130123





Nexus 4 Demand 10 Times Higher than Google Expected
Rich Trenholm

Ten times as many British phone fans want the Nexus 4 than Google expected. LG has once again blamed Google for stock issues with the perenially sold-out smash-hit Android phone, saying the Big G had no idea of the potential demand.

Speaking to Challenges, LG France boss Cathy Robin pointed the finger at Google. LG says it simply built as many phones as Google asked for, a number based on the sales of previous Nexus phones, such as the Nexus S.

It turns out that Google severely misunderestimated how many people would actually buy the phone. Fair enough: who woulda thunk that a quad-core smart phone with the latest Jelly Bean software and a high-definition screen costing £240 would be super-popular? Who could have seen that coming? You'd have to be some kind of visionary or something.

It's not just here in Blighty that the new Nexus has struck a chord. As it turns out, ten times as many phone fans bought the Nexus 4 as anticipated in both Britain and Germany.

LG says it takes about six weeks to increase the frequency of deliveries. Happily, from mid-February, LG will ramp up production of the Nexus 4. Finally!

The Nexus 4 went on sale at the end of last year -- for about an hour. Since then it's been sold out at Google Play almost continually, barring the odd day here and there. If you're not one of the lucky few who managed to get in fast and bag a phone, the only way to get hold of the Nexus 4 is to get it on a contract from a phone network -- which costs a heck of a lot more than £240, in the long term. But which is better: an expensive real phone, or a cheap hypothetical phone?

Virgin Media announced this week it's adding the Nexus 4 to its line-up. Virgin joins O2 and Three in selling the phone.
http://crave.cnet.co.uk/mobiles/nexu...cted-50010190/





Unlocking Cellphones Becomes Illegal Saturday in the U.S.
Michael Gowan

The clock to unlock a new mobile phone is running out.

In October 2012, the Librarian of Congress, who determines exemptions to a strict anti-hacking law called the Digital Millennium Copyright Act (DMCA), decided that unlocking mobile phones would no longer be allowed. But the librarian provided a 90-day window during which people could still buy a phone and unlock it. That window closes on Jan. 26.

Unlocking a phone frees it from restrictions that keep the device from working on more than one carrier's network, allowing it run on other networks that use the same wireless standard. This can be useful to international travelers who need their phones to work on different networks. Other people just like the freedom of being able to switch carriers as they please.

The new rule against unlocking phones won't be a problem for everybody, though. For example, Verizon's iPhone 5 comes out of the box already unlocked, and AT&T will unlock a phone once it is out of contract.

You can also pay full-price for a phone, not the discounted price that comes with a two-year service contract, to receive the device unlocked from the get-go. Apple sells an unlocked iPhone 5 starting at $649, and Google sells its Nexus 4 unlocked for $300.

Advocacy group the Electronic Frontier Foundation (EFF) questions whether the DMCA has the right to determine who can unlock a phone. In an email to TechNewsDaily, EFF attorney Mitch Stoltz said, "Arguably, locking phone users into one carrier is not at all what the DMCA was meant to do. It's up to the courts to decide."

If you do buy a new phone and want to unlock it before the deadline, you must first ask your carrier if the company will unlock your phone for you. The DMCA only permits you to unlock your phone yourself once you've asked your carrier first.

(Note that unlocking is different from "jailbreaking," which opens the phone up for running additional software and remains legal for smartphones.)

Christopher S. Reed from the U.S. Copyright Office noted in an email to TechNewsDaily that "only a consumer, who is also the owner of the copy of software on the handset under the law, may unlock the handset."

But come Saturday, you'll have to break the law to unlock your phone. If you want to get in under the gun, you can search the Internet for the code to enter to unlock the phone or find a tool that will help you accomplish the task.

The change could crimp the style of carriers like T-Mobile, which have pushed "bring your own device" as an incentive for switching service providers. Such carriers promise savings in exchange for using your existing phone on their network.

T-Mobile has promoted this notion for iPhones, in particular, since the company is the only one of the big four U.S. carriers that doesn't sell the iPhone. The carrier goes so far as to feature ads displaying an open padlock, with an iPhone replacing the body of the lock. T-Mobile declined to comment.
http://mashable.com/2013/01/23/unloc...hones-illegal/





Google Tells Cops to Get Warrants for User E-Mail, Cloud Data
David Kravets

Google demands probable-cause, court-issued warrants to divulge the contents of Gmail and other cloud-stored documents to authorities in the United States — a startling revelation Wednesday that runs counter to federal law that does not always demand warrants.

The development surfaced as Google publicly announced that more than two-thirds of the user data Google forwards to government agencies across the United States is handed over without a probable-cause warrant.

A Google spokesman told Wired that the media giant demands that government agencies — from the locals to the feds — get a probable-cause warrant for content on its e-mail, Google Drive cloud storage and other platforms — despite the Electronic Communications Privacy Act allowing the government to access such customer data without a warrant if it’s stored on Google’s servers for more than 180 days.

“Google requires an ECPA search warrant for contents of Gmail and other services based on the Fourth Amendment to the Constitution, which prevents unreasonable search and seizure,” Chris Gaither, a Google spokesman, said.

Some of the customer data doled out without a warrant include names listed when creating Gmail accounts, the IP address from where the account was created, and where and what time a user signs in and out of an account. What’s more, Google hands over without warrants the IP address associated with a particular e-mail sent from a Gmail account or used to change the account password, in addition to the non-content portion of e-mail headers such as the “from,” “to” and “date” fields.

It was not immediately known whether other ISPs are traveling Google’s path when it comes to demanding probable-cause warrants for all stored content. But Google can seemingly grant more privacy than the four corners of the law allows because there’s been a string of conflicting court opinions on whether warrants are required for data stored on third-party servers longer than 180 days. The Supreme Court has never weighed in on the topic — and the authorities are seemingly abiding by Google’s rules to avoid a high court showdown.

The Electronic Communications Privacy Act of 1986, the relevant law in question, was adopted at a time when e-mail wasn’t stored on servers for a long time, but instead was held there briefly on its way to the recipient’s inbox. In the 1980s, e-mail more than 6 months old was assumed abandoned, and therefore ripe for the taking without a probable-cause warrant.

That law is still on the books today, even as the advancement of technology has undermined its original theory.

But clearly, changing the law to comport with Google’s interpretation has been met with unreceptive members of Congress.

The Senate Judiciary Committee approved a measure last year mirroring Google’s interpretation, but the bill died a quiet death. Moves to change the law have been scuttled over and again.
http://www.wired.com/threatlevel/201...get-a-warrant/





In a French Case, a Battle to Unmask Twitter Users
Eric Pfanner and Somini Sengupta

A French court on Thursday told Twitter to identify people who had posted anti-Semitic and racist entries on the social network. Twitter is not sure it will comply. And the case is yet another dust-up in the struggle over speech on the Internet, and which countries’ laws prevail.

The court order came in a lawsuit brought by French groups who said the Twitter postings, which were made under pseudonyms, broke French law against racist speech. Twitter has said that under its own rules, it does not divulge the identity of users except in response to a valid court order in the United States, where its data is stored. Twitter has already removed some of the content at issue from its site in France, in keeping with company policy to remove posts in countries where they violate the law.

On Thursday, Twitter said in a brief statement that it would review its legal options after the French ruling; officials at the company’s San Francisco headquarters did not respond to numerous requests for comment.

It remains unclear whether French prosecutors will press their case across the Atlantic and force Twitter’s hand in an American court under a time-consuming process detailed in a so-called mutual legal assistance treaty.

The case revolves around the broad question of which country’s laws have jurisdiction over content on the Internet. This question has become increasingly complicated as vast piles of information are stored in sprawling data centers, known as the cloud, that are accessible over the Internet anywhere, anytime.

“It is a big deal because it shows the conflict between laws in France and laws in the U.S., and how difficult it can be for companies doing business around the world,” said Françoise Gilbert, a French lawyer who represents Silicon Valley companies in courts on both continents.

In this case, the jurisdictional issue has an additional wrinkle because Twitter does not have an office in France and does not face the prosecution of its employees here, a problem that other Web companies, like Facebook and Google, have faced elsewhere. Twitter is popular in France, nonetheless. It is available to anyone with an Internet connection and sells ads on its site here. This could embolden French authorities to try to apply its laws to the service.

With 200 million users, most of them outside the United States, Twitter has confronted these conundrums over hate speech and free expression before, especially in Europe.

In October, at the request of the German government, Twitter blocked users in Germany from access to the account of a neo-Nazi group banned there. It was the first time Twitter acted on a policy known as “country-withheld content,” announced last January, in which it agreed to block an account at the request of a government.

In 2011, British authorities went to court in California to extract information about a Twitter user who went by the pseudonym Mr. Monkey and was accused of defaming members of a British town council. The company complied.

Twitter says in its online help center that foreign law enforcement agencies can seek user data through what is known as a “mutual legal assistance treaty.”

“It is our policy to respond to such U.S. court-ordered requests when properly served,” the company says on the site.

But Twitter is not the only Web company facing government requests for personal data. Google said this week that it received more than 21,000 requests in the last six months; more than 8,000 from the United States, which was followed by India, France, Germany and Britain.

Twitter, though, has sought to cast itself as a special defender of free speech, sometimes describing it as a competitive advantage. On occasion, it has fought unsuccessful battles with prosecutors in the United States seeking to extract data on Twitter users.

The French case is also part of a brewing fight between the United States and Europe over the data controlled by American Web companies and stored in the cloud. European lawmakers worry about American companies sharing data about Europeans with the United States government under American laws that authorize surveillance on foreign citizens. This case flips that objection on its head, with European authorities seeking information on its citizens from an American company.

Chris Wolf, an American lawyer who was in Brussels this week at a conference debating European data protection laws, said it was proving difficult to interpret jurisdiction laws in the digital age.

He offered a paper analogy. If French authorities sought access to files stored in an American company’s offices in Paris, they could physically get their hands on the material and use it in a court of law.

“The physical presence of a thing or a person have always been major factors in determining which government has the right to have its rules applied,” Mr. Wolf said. “The power to access data makes physical location of evidence irrelevant.”

The French case was prompted by a spate of anti-Semitic writing on Twitter late last year, including hashtags, or topical themes, like “a good Jew is a dead Jew.” There were also jokes about the Holocaust and comments denigrating Muslims. Holocaust denial is a crime in France, and the country has strict laws against hate speech.

Organizations like the French Union of Jewish Students and SOS Racisme filed the suit, seeking to identify those responsible for the accounts.

The court said Twitter should provide “data in its possession that could permit the identification of anyone who has contributed to the creation of manifestly illegal tweets.”

The court stopped short of recommending screening, but said that Twitter should “set up, within the framework of its French platform, an easily accessible and visible system enabling anyone to bring to its attention illegal content, especially that which falls within the scope of the apology of crimes against humanity and incitement to racial hatred.”

The court order was hailed by the Jewish student group. “The French justice system has made a historic decision today,” said Jonathan Hayoun, its president, in a statement. “It reminds victims of racism and anti-Semitism that they are not alone, and that French law, which protects them, should apply everywhere, including Twitter.”

The sensitivity of the issue in France was heightened by the killing of seven people, including four Jews, in southern France last March by Mohammed Merah, who claimed to be acting for Al Qaeda. Since then, Jewish groups say, anti-Semitic material, including Twitter feeds appearing to be tributes to Mr. Merah, have proliferated.

The government has scheduled a meeting between company officials and advocacy groups that are pressing Twitter to be tougher on hate speech, said a government spokeswoman, Najat Vallaud-Belkacem.

Eric Pfanner reported from Paris and Somini Sengupta from San Francisco.
https://www.nytimes.com/2013/01/25/t...tic-posts.html





Court: Sex Offender Facebook Ban Unconstitutional
Charles Wilson

An Indiana law that bans registered sex offenders from using Facebook and other social networking sites that can be accessed by children is unconstitutional, a federal appeals court ruled Wednesday.

The 7th U.S. Circuit of Appeals in Chicago overturned a federal judge's decision upholding the law, saying the state was justified in trying to protect children but that the "blanket ban" went too far by restricting free speech.

The 2008 law "broadly prohibits substantial protected speech rather than specifically targeting the evil of improper communications to minors," the judges wrote.

"The goal of deterrence does not license the state to restrict far more speech than necessary to target the prospective harm," they said in a 20-page decision.

The judges noted that the U.S. Supreme Court has also struck down laws that restricted the constitutional right to freedom of expression, such as one that sought to ban leafleting on the premise that it would prevent the dropping of litter.

U.S. District Judge Tanya Walton Pratt ruled in June that the state has a strong interest in protecting children and found that social networking had created a "virtual playground for sexual predators to lurk." She noted that everything else on the Internet remained open to those who have been convicted of sex offenses.

The American Civil Liberties Union of Indiana filed the class-action suit on behalf of a man who served three years for child exploitation and other sex offenders who are restricted by the ban even though they are no longer on probation.

Courts have long allowed states to place restrictions on convicted sex offenders who have completed their sentences, controlling where many live and work and requiring them to register with police. But the ACLU contended that even though the Indiana law is only intended to protect children from online sexual predators, social media websites are virtually indispensable. The group said the ban prevents sex offenders from using the websites for legitimate political, business and religious purposes.

The ACLU applauded the decision.

"Indiana already has a law on the books that prohibits inappropriate sexual contacts with children," including penalties for online activities, ACLU legal director Ken Falk said. "This law sought to criminalize completely innocent conduct that has nothing to do with children."

Indiana Attorney General Greg Zoeller said his office would review the ruling before deciding on the next step.

Federal judges have barred similar laws in Nebraska and Louisiana. Louisiana legislators passed a new, narrower law last year that requires sex offenders to identify themselves on Facebook and similar sites. A federal judge struck down part of Nebraska's law last October.
http://bigstory.ap.org/article/court...constitutional





Internet Connection Crucial to Everyday Life, German Federal Court Rules

Because an internet connection is an important commodity, the plaintiff should be compensated for the loss of it, the court ruled
Loek Essers

Internet access is as crucial to everyday life as having a phone connection and the loss of connectivity is deserving of financial compensation, the German Federal Court of Justice has ruled.

Because having an internet connection is so significant for a large part of the German population, a customer whose service provider failed to provide connectivity between December 2008 and February 2009 is entitled to compensation, the court ruled today.
"It is the first time the court ruled that an Internet connection is as important a commodity as having a phone," said court spokeswoman Dietlind Weinland.

The plaintiff was erroneously disconnected and demanded that the unnamed telecommunications company pay for costs that incurred in switching to a new provider. The plaintiff also demanded compensation of €50 (£42) per day for the period his was unable to use his DSL, fax over IP and VoIP services, according to the court.

The Federal Court, however, awarded compensation only for loss of the internet connection. Compensation for the loss of a fax connection was denied because a fax only enables the user to send text and images faster than conventional mail and the technology is increasingly becoming irrelevant due to the rise of alternatives such as email, the court ruled.

While a phone connection is an important commodity, the plaintiff was also denied compensation for loss of his VoIP phone line since he owned a mobile phone, said Weinland.

But the plaintiff is entitled to compensation for the lost DSL line because the Internet has been a crucial part of people's economic living standards for a while now, the court ruled.

The internet is important because it offers access to information in the form of text, images, video and audio files. Almost all subjects are covered on the Internet, from light entertainment to highly scientific topics, the court said.

Because of its availability, the Internet increasingly replaces other media such as encyclopedias, magazines or TV, and it also enables a global exchange between its users via email, forums, blogs and social networks, the court said. In addition, the internet is increasingly used for the initiation and conclusion of contracts as well as for legal transactions and the fulfilment of public service obligations, it added.
http://www.computerworlduk.com/news/...l-court-rules/





iPad Hack Statement Of Responsibility
Andrew Auernheimer

Editor’s note: Andrew Auernheimer, also known by his pseudonym weev, is an American grey hat hacker and self-described Internet troll. Follow him on Twitter @rabite.

In June of 2010 there was an AT&T webserver on the open Internet. There was an API on this server, a URL with a number at the end. If you incremented this number, you saw the next iPad 3G user email address. I thought it was egregiously negligent for AT&T to be publishing a complete target list of iPad 3G owners, and I took a sample of the API output to a journalist at Gawker.

I did this because I despised people I think are unjustly wealthy and wanted to embarass them. I thought this is the United States of America where we have the right to do basic arithmetic and query public webservers.

I was convicted of two consecutive five-year felonies, and am now awaiting sentencing.

I left the Aaron Swartz memorial tonight emotionally exhausted. Here is a guy who was beloved by many of my close friends, whose suffering and miseries I have shared in kind. I’ll never forget when the Secret Service started following me. My lover at the time and I treated it like a game, spending our days ditching surveillance in the best ways possible: speedboats, helicopters, club bouncers.

Over time, this has become less and less of a game. It soon became clear that I could not be both an activist and a capitalist. I quit my six figure job at the time because the former was more important to me. Then one day, everything changed. FBI agents tried to frame me for terrorism in 2008. Twice. They ruined my career, my relationship, my life. Nobody believed that I could be a terrorist so now they try to libel me as an identity thief.

Lawrence Lessig said of Aaron’s indictment that the prosecutor Ortiz was “either an idiot, or a liar.” I know this feeling all too well.

One of my prosecutors, Michael Martinez, claimed that our querying a public webserver was criminal because “it isn’t like going to ESPN and checking your sports team’s scores.”

The facts: AT&T admitted, at trial, that they “published” this data. Their words. Public-facing, programmatic accesses of APIs happen upwards of a trillion times per day. Twitter broke 13 billion on their API ages ago. This is something that happens more than the entire population of Earth, daily. The government has no problem with this up until you transform the output into something offensive to important people. People with “disruptive” startups, this is your fair warning: They are coming for you next.

The other one of my prosecutors, Zach Intrater, said that a comment I made about Goatse Security, my information security working group, starting a certification process to declare systems “goatse tight” was evidence of my intent to personally profit. For those not in on the joke: Goatse is an Internet meme referencing a man holding open his anus very widely. The mind reels.

I can’t survive like this. I am happy to be hitting a prison cell soon. They ruined my business. The feds get approval of who I can work for or with: they rejected one company because the CEO had a social network profile with an occupation listed as “hacker.” They prohibit me from touching any computer that isn’t federally monitored. I do my best to slang Perl code on an Android device to comply with my bail conditions. It isn’t pretty.

Ivy league educated and wealthy, Aaron dealt with his indictment so badly because he thought he was part of a special class of people that this didn’t happen to. I am from a rundown shack in Arkansas. I spent many years thinking people from families like his got better treatment than me. Now I realize the truth: The beast is so monstrous it will devour us all. None will be spared.

So now I stare at a form that the government wants me to fill out before sentencing labelled “acceptance of responsibility” and wonder what I can possibly fill in this slot. This letter is it.

I accept my responsibility, and hope you do too, of dismantling this terrible empire so that this can’t happen to anyone.

This is the difference between the prosecutors and FBI agents and I. They wish me utterly destroyed, and have been hounding me for years of my life. They have been surveilling me, by their own admission, since I was 15. You know what I wish for? A world where no man may abridge the liberty of another. Not me, not you, not the FBI, not federal prosecutors. I actually hope they have fulfilling lives, and come to realize the mistake of treating our Constitution like toilet paper.

This is a country where if you express ideas that federal agents don’t like you, you will be beaten, imprisoned, or killed. I accept my responsibility for offending seditious thugs, liars and tyrants. I say this is the duty of all decent citizens left.

God bless.

Andrew Auernheimer

http://techcrunch.com/2013/01/21/ipa...esponsibility/





Pupil Expelled from Montreal College after Finding ‘Sloppy Coding’ that Compromised Security of 250,000 Students Personal Data
Ethan Cox

A student has been expelled from Montreal’s Dawson College after he discovered a flaw in the computer system used by most Quebec CEGEPs (General and Vocational Colleges), one which compromised the security of over 250,000 students’ personal information.

Ahmed Al-Khabaz, a 20-year-old computer science student at Dawson and a member of the school’s software development club, was working on a mobile app to allow students easier access to their college account when he and a colleague discovered what he describes as “sloppy coding” in the widely used Omnivox software which would allow “anyone with a basic knowledge of computers to gain access to the personal information of any student in the system, including social insurance number, home address and phone number, class schedule, basically all the information the college has on a student.”

“I saw a flaw which left the personal information of thousands of students, including myself, vulnerable,” said Mr. Al-Khabaz. “I felt I had a moral duty to bring it to the attention of the college and help to fix it, which I did. I could have easily hidden my identity behind a proxy. I chose not to because I didn’t think I was doing anything wrong.”

After an initial meeting with Director of Information Services and Technology François Paradis on Oct. 24, where Mr. Paradis congratulated Mr. Al-Khabaz and colleague Ovidiu Mija for their work and promised that he and Skytech, the makers of Omnivox, would fix the problem immediately, things started to go downhill.

Two days later, Mr. Al-Khabaz decided to run a software program called Acunetix, designed to test for vulnerabilities in websites, to ensure that the issues he and Mija had identified had been corrected. A few minutes later, the phone rang in the home he shares with his parents.

“It was Edouard Taza, the president of Skytech. He said that this was the second time they had seen me in their logs, and what I was doing was a cyber attack. I apologized, repeatedly, and explained that I was one of the people who discovered the vulnerability earlier that week and was just testing to make sure it was fixed. He told me that I could go to jail for six to twelve months for what I had just done and if I didn’t agree to meet with him and sign a non-disclosure agreement he was going to call the RCMP and have me arrested. So I signed the agreement.”

The agreement prevented Mr. Al-Kabaz from discussing confidential or proprietary information he found on Skytech servers, or any information relating to Skytech, their servers or how he accessed them. The agreement also prevented Mr. Al-Kabaz from discussing the existence of the non-disclosure pact itself, and specified that if his actions became public he would face legal consequences.

When reached for comment Mr. Taza acknowledged mentioning police and legal consequences, but denied having made any threats, and suggested that Mr. Al-Khabaz had misunderstood his comments.

“All software companies, even Google or Microsoft, have bugs in their software,” said Mr. Taza. “These two students discovered a very clever security flaw, which could be exploited. We acted immediately to fix the problem, and were able to do so before anyone could use it to access private information.”

Taza explained that he was quite pleased with the work the two students did identifying problems, but the testing software Mr. Al-Khabaz ran to verify the system was fixed crossed a line.

“This type of software should never be used without prior permission of the system administrator, because it can cause a system to crash. He [Al-Khabaz] should have known better than to use it without permission, but it is very clear to me that there was no malicious intent. He simply made a mistake.”

The administration of Dawson College clearly saw things differently, proceeding to expel Mr. Al-Khabaz for a “serious professional conduct issue.”

“I was called into a meeting with the co–ordinator of my program, Ken Fogel, and the dean, Dianne Gauvin,” says Mr. Al-Khabaz. “They asked a lot of questions, mostly about who knew about the problems and who I had told. I got the sense that their primary concern was covering up the problem.”
Dawson College

Following this meeting, the fifteen professors in the computer science department were asked to vote on whether to expel Mr. Al-Khabaz, and fourteen voted in favour. Mr. Al-Khabaz argues that the process was flawed because he was never given a chance to explain his side of the story to the faculty. He appealed his expulsion to the academic dean and even director-general Richard Filion. Both denied the appeal, leaving him in academic limbo.

“I was acing all of my classes, but now I have zeros across the board. I can’t get into any other college because of these grades, and my permanent record shows that I was expelled for unprofessional conduct. I really want this degree, and now I won’t be able to get it. My academic career is completely ruined. In the wrong hands, this breach could have caused a disaster. Students could have been stalked, had their identities stolen, their lockers opened and who knows what else. I found a serious problem, and tried to help fix it. For that I was expelled.”

Morgan Crockett, director of internal affairs and advocacy for the Dawson Student Union, agrees.

“Dawson has betrayed a brilliant student to protect Skytech management,” said Ms. Crockett. “It’s a travesty that Ahmad’s academic future has been compromised just so that Dawson and Skytech could save face. If they had any sense of decency, they would reinstate Ahmad into [the] computer science [program], refund the financial aid debt he has incurred as a result of his expulsion and offer him a full public apology “

Repeated calls to various members of the Dawson administration were not returned, with the college citing an inability to discuss an individual student’s case on legal and ethical grounds in a statement released by their communications department.
http://news.nationalpost.com/2013/01...personal-data/





How M.I.T. Ensnared a Hacker, Bucking a Freewheeling Culture
Noam Cohen

In the early days of 2011, the Massachusetts Institute of Technology learned that it had an intruder. Worse, it believed the intruder had been there before.

Months earlier, the mysterious visitor had used the school’s computer network to begin copying millions of research articles belonging to Jstor, the nonprofit organization that sells subscription access to universities.

The visitor was clever — switching identifications to avoid being blocked by M.I.T.’s security system — but eventually the university believed it had shut down the intrusion, then spent weeks reassuring furious officials at Jstor that the downloading had been stopped.

However, on Jan. 3, 2011, according to internal M.I.T. documents obtained by The New York Times, the university was informed that the intruder was back — this time downloading documents very slowly, with a new method of access, so as not to alert the university’s security experts.

“The user was now not using any of the typical methods to access MITnet to avoid all usual methods of being disabled,” concluded Mike Halsall, a senior security analyst at M.I.T., referring to the university’s computer network.

What the university officials did not know at the time was that the intruder was Aaron Swartz, one of the shining lights of the technology world and a leading advocate for open access to information, with a fellowship down the road at Harvard.

Mr. Swartz’s actions presented M.I.T. with a crucial choice: the university could try to plug the weak spot in its network or it could try to catch the hacker, then unknown.

The decision — to treat the downloading as a continuing crime to be investigated rather than a security threat that had been stopped — led to a two-day cat-and-mouse game with Mr. Swartz and, ultimately, to charges of computer and wire fraud. Mr. Swartz, 26, who faced a potentially lengthy prison term and whose trial was to begin in April, was found dead of an apparent suicide in his Brooklyn apartment on Jan. 11.

Mr. Swartz’s supporters called M.I.T.’s decision a striking step for an institution that prides itself on operating an open computer network and open campus — the home of a freewheeling programming culture. M.I.T.’s defenders viewed the intrusion as a computer crime that needed to be taken seriously.

M.I.T. declined to confirm any of these details or comment on its actions during the investigation. The university’s president, L. Rafael Reif, said last week, “It pains me to think that M.I.T. played any role in a series of events that have ended in tragedy.” He appointed a professor, Hal Abelson, to analyze M.I.T.’s conduct in the investigation. To comment now, a spokeswoman for the university said, would be “to get ahead of that analysis.”

Early on Jan. 4, at 8:08 a.m., according to Mr. Halsall’s detailed internal timeline of the events, a security expert was able to locate that new method of access precisely — the wiring in a network closet in the basement of Building 16, a nondescript rectangular structure full of classrooms and labs that, like many buildings on campus, is kept unlocked.

In the closet, Mr. Halsall wrote, there was a netbook, or small portable computer, “hidden under a box,” connected to an external hard drive that was receiving the downloaded documents.

At 9:44 a.m. the M.I.T. police were called in; by 10:30 a.m., the Cambridge police were en route, and by 11 a.m., Michael Pickett, a Secret Service agent and expert on computer crime, was on the scene. On his recommendation, a surveillance camera was installed in the closet and a second laptop was connected to the network switch to track the traffic.

There may have been a reason for the university’s response. According to the timeline, the tech team detected brief activity from China on the netbook — something that occurs all the time but still represents potential trouble.

E-mails among M.I.T. officials that Tuesday in January 2011 highlight the pressures university officials felt over a problem they thought they had solved. Ann J. Wolpert, the director of libraries, wrote to Ellen Finnie Duranceau, the official who was receiving Jstor’s complaints: “Has there ever been a situation similar to this when we brought in campus police? The magnitude, systematic and careful nature of the abuses could be construed as approaching criminal action. Certainly, that’s how Jstor views it.”

Some of Mr. Swartz’s defenders argue that collecting and providing evidence to the government without a warrant may have violated federal and state wiretapping statutes.

“This was a pivotal moment,” said Elliot Peters, Mr. Swartz’s lawyer. “They could have decided, we’re going to unplug this computer, take it off the network and tell the police to get a warrant.”

Mr. Peters had persuaded a judge to hear his arguments that the evidence collected from the netbook be excluded from the trial, asserting that Mr. Swartz’s Fourth Amendment protections from unlawful search and seizure had been violated. (All charges against Mr. Swartz were dropped after his death.)

Investigators first caught sight of Mr. Swartz on camera the day it was installed. At 3:26 p.m., the timeline notes, the “suspect is seen on camera entering network closet, noticeably unaware of what had occurred all morning.”

But Mr. Swartz managed to leave before the police could arrive. Also, “on his way out, the suspect shuts off the lights,” the timeline reports, which “will hurt video quality and possibly work against the motion activation of the camera.” A technician quickly turned them back on.

Mr. Swartz certainly knew his way around the M.I.T. campus — as his defense pointed out in court, he had given a guest lecture there, he had many friends on campus, and his father, Bob Swartz, remains as a consultant at the university’s Media Lab.

Two days later, the timeline notes that Aaron Swartz “enters network closet while covering his face with bike helmet, presumably thinking video cameras may be in hallway.” More seriously for the M.I.T. investigation, “once inside and with the door closed, he hurriedly removes his netbook, hard drive and network cable and stows them in his backpack.” He was gone within two minutes, too quickly for the police to catch him.

Perhaps suspecting he was being watched, Mr. Swartz moved the computer. But M.I.T.’s tech team believed it had tracked it to the fourth floor of the same Building 16. The university called for “police presence.”

A little after 2 p.m., according to the government, Mr. Swartz was spotted heading down Massachusetts Avenue within a mile of M.I.T. After being questioned by an M.I.T. police officer, he dropped his bike and ran (according to the M.I.T. timeline, he was stopped by an M.I.T. police captain and Mr. Pickett). He was carrying a data storage device with a program on it, the government says, that tied him to the netbook.

The arrest shocked friends of Mr. Swartz, as well as M.I.T. alumni. Brewster Kahle, an M.I.T. graduate and founder of the digital library Internet Archive, where Mr. Swartz gave programming assistance, wrote: “When I was at M.I.T., if someone went to hack the system, say by downloading databases to play with them, might be called a hero, get a degree, and start a company. But they called the cops on him. Cops.”

Mr. Swartz turned over his hard drives with 4.8 million documents, and Jstor declined to pursue the case. But Carmen M. Ortiz, the United States attorney in Boston, decided to press on. The government has defended M.I.T.’s decision to “collaborate” with the federal investigation and argued there was no need for a warrant because, as a trespasser on M.I.T.’s campus, Mr. Swartz had no reasonable expectation of privacy for his netbook. And M.I.T.’s officials were rightfully concerned, the government argued, by the threat they faced.

“M.I.T. had to identify the hacker and assist with his apprehension in order to prevent further abuse,” the government argued in court.

Michael Sussmann, a Washington lawyer and a former federal prosecutor of computer crime, said that M.I.T. was the victim and that, without more information, it had to assume any hackers were “the Chinese, even though it’s a 16-year-old with acne.” Once the police were called in, the university could not back away from the investigation. “After there’s a referral, victims don’t have the opportunity to change their mind.”

Mr. Swartz’s father, in a telephone interview, described himself as “devastated” by M.I.T.’s conduct during the investigation of his son. “M.I.T. claimed they were neutral — but we don’t believe they acted in a neutral way,” he said, adding, “My belief is they put their institutional concerns first.”

He described attending two meetings with the chancellor of M.I.T., Eric Grimson. Each time there also was a representative of the general counsel’s office. At both meetings, he said, members of M.I.T.’s legal team assured him and the chancellor that the government had compelled M.I.T. to collect and hand over the material. In that first meeting, he recalled, “I said to the chancellor, ‘Why are you destroying my son?’ He said, ‘We are not.’ ”

John Schwartz contributed reporting.
https://www.nytimes.com/2013/01/21/t...g-culture.html





A Close Look at How Oracle Installs Deceptive Software with Java Updates
Ed Bott

Summary: Oracle's Java plugin for browsers is a notoriously insecure product. Over the past 18 months, the company has released 11 updates, six of them containing critical security fixes. With each update, Java actively tries to install unwanted software. Here's what it does, and why it has to stop.

Congratulations, Oracle.

Java is the new king of foistware, displacing Adobe and Skype from the top of the heap.

And it earned that place with a combination of software update practices that are among the most user-hostile and cynical in the industry.

In coordination with Ben Edelman, an expert on deceptive advertising, spyware and adware, I've been looking at how Oracle delivers Java to its customers and who it has chosen to partner with. The evidence against Oracle is overwhelming.

Specifically:

• When you use Java’s automatic updater to install crucial security updates for Windows , third-party software is always included. The two additional packages delivered to users are the Ask Toolbar and McAfee Security Scanner.
• With every Java update, you must specifically opt out of the additional software installations. If you are busy or distracted or naïve enough to trust Java’s “recommendation,” you end up with unwanted software on your PC.
• IAC, which partners with Oracle to deliver the Ask toolbar, uses deceptive techniques to install its software. These techniques include social engineering that appears to be aimed at both novices and experienced computer users, behavior that may well be illegal in some jurisdictions.
• The Ask.com search page delivers inferior search results and uses misleading and possibly illegal techniques to deceive visitors into clicking paid ads instead of organic search results.

I’ve spent the past weekend installing and updating Java on an assortment of physical and virtual test PCs to see exactly how the Java updater works.

Here’s what I found.

When you install Java on a Windows PC for the first time, the installer includes this step, which I’ve previously documented:

Notice how the check box for that Ask toolbar is selected already. If you click Next or press Enter, that toolbar is installed into Internet Explorer, Chrome, and Firefox.

But surely you can just clear that checkbox, continue, and move on. Right?

Well, yes. Until there’s an important security update, which happens with depressing regularity to the Java browser plugin. (There have been 11 updates to Java SE 7, including six that fixed critical security issues, in the 18 months since its initial release.) Java’s updater forces the user to go through the same installation process, with the same pre-selected option to install unwanted software.

The reason, of course, is money: Oracle collects a commission every time that toolbar gets installed. And the Ask installer goes out of its way to hide its workings.

As I confirmed in my testing, when you update Java and simply click or press Enter to accept the default settings, the Java updater completes its installation first and displays this result:
java-update-complete

That dialog box is not telling the truth.

In the background, the Ask toolbar installer continues to run, but it delays execution for 10 minutes. If you are a sophisticated Windows user and you missed the initial checkbox, your natural instinct at this point would be to open Control Panel and check Programs and Features. When you do, you will see that only the Java update has been installed. You might also check your browser settings to confirm that no changes have been made to your settings. You might conclude that you dodged a bullet and that the unwanted software wasn’t installed.

But you would be wrong. The Ask installer is still running, and after waiting 10 minutes, it drops two programs on the target system.

The only indication that this installer is running is a brief flash of the mouse pointer. A check of the Windows event logs shows that the installer completed its activity exactly 10 minutes after the Java installer finished, and the two Ask modules show up in the list of installed programs.
java-update-adds-ask-toolbars

I’ve never seen a legitimate program with an installer that behaves this way. But spyware expert Ben Edelman notes that in the early part of the last decade this trick was business as usual for companies in the business of installing deceptive software. That list includes notorious bad actors like WhenU, Gator, and Claria.

In a new post, Edelman thoroughly analyzes the Ask toolbar and breaks down the deceptive behavior that the toolbar itself is associated with:

• The Ask toolbar “takes over default search, address bar search, and error handling.” As Edelman notes, “That's an intrusive set of changes, and particularly undesirable in light of the poor quality of IAC's search results.”
• If you use the toolbar’s search box, you’re sent to “an IAC Mywebsearch results page with advertisements and search results syndicated from Google [with] listings that are intentionally less useful -- focused primarily on IAC's business interest in encouraging the user to click extra advertisements.”
• Unlike a Google search page, ads at IAC Mywebsearch lack “distinctive background color to help users distinguish ads from algorithmic results. Furthermore, IAC's voluminous ads fill the entirety of the first screen of results for many searches. A user familiar with Google would expect ads to have a distinctive background color and would know that ads typically stop after at most one screen … the user might well conclude that these are algorithmic listings rather than paid advertisements.”
• The ads on the Mywebsearch pages ignore standard industry practice and Google rules and make the entire ad clickable, “including domain name, ad text, and large whitespace … IAC's search result pages expand the clickable area of each advertisement to fill the entire page width, sharply increasing the fraction of the page where a click will be interpreted as a request to visit the advertiser's page.”

This is sleazy stuff. If you have installed this software, it affects searches you run from the address bar in any browser, including Chrome. Installing the Java update on my main PC hijacked the default search provider in Chrome 24 (the current version) and redirected searches from the Google omnibox (the address bar) to Ask.com. At no point was I asked for permission to make these changes to the settings in Chrome. (A reasonable person would not conclude that clicking "Next" in a dialog box to install an update has the same legal effect as "I agree" to a set of license terms.)

search-settings-changed-in-chrome-no-consent

The Ask search results for the title of my new book included seven ads at the top of the page, with background color and visual styles that were indistinguishable from web search results. Three of those ads were for deceptive or misleading "PC fix-it services" or software. One ad, ironically, offered an unauthorized download of the free Microsoft Security Essentials that included its own adware bundle.

The actual result I was looking for was in the seventh position under the Ask web search results. The same search at Google.com included only one clearly labeled ad, and the best search result was in the third position in results. The screen below shows the ugly Ask toolbar and the Ask icon at the top of the Chrome window. Both were installed without informed consent and with no warning except the original misleading dialog box in the Java updater.
ask-search-results-in-chrome

Uninstalling the Ask toolbar does not restore the previous search settings in Chrome 24. You have to make that change manually.

The good news is that browser makers collectively are making it more difficult for toolbars like this to be installed and enabled inadvertently.

• Beginning with Internet Explorer 9, new toolbars and other add-ons are disabled by default. You must specifically enable them before they’re active.
• Mozilla Firefox has a similar add-on approval feature.
• Beginning with version 25 (now in beta), Chrome will block add-ons that are installed by third parties and will require the user to specifically enable them.

The Ask toolbar installer takes these defensive measures into account and uses social engineering to try to convince the user to enable the add-ons. It does this by adding its own messages along with the system messages. Here’s what you see in Internet Explorer, for example, the first time you open the browser after the toolbar is installed:
ask-toolbar-additions-in-IE9

And here’s the extra visual aid added in Firefox, which also appears in a prominent window on first run after the installation of the toolbar:
ask-toolbar-additions-in-Firefox

These additions to the UI are being added as a bit of social engineering designed to convince the user to override legitimate security settings.

(A side note: In Windows 8, Internet Explorer 10 refuses to install the Ask toolbar at all, although it does install with Chrome 24. An error message in the event logs suggests the installer isn't working properly with IE 10.)

Interestingly, while Oracle continues to junk up Java with these aggressive installer mechanisms, Adobe has moved the opposite direction over the past year or so.

Installing Adobe Flash or Reader for the first time on a Windows PC still includes the option to install third-party software (typically Google Chrome and the Google toolbar for Internet Explorer). But updates are handled automatically in the background. If you enable the Adobe updater, updates just work, with no attempt to install anything other than the updates.

Even better, both Google and Microsoft have incorporated Flash into current versions of their browsers (Internet Explorer 10 and all recent releases of Chrome), so that installing a plugin isn’t required. Updates are handled through Windows Update and the Chrome Updater, respectively.

The Skype installer, which once offered to install toolbars and add-ons, no longer does so (although it does attempt to change the user's default search engine and home page, a behavior that shouldn't be tolerated).

Java’s updater, by contrast, is a mess. It doesn’t work properly with limited user accounts, and as I’ve demonstrated here, it requires user interaction and unethically attempts to push add-ons that no sane Windows user would accept if they knew how that software works.

And to add injury to insult, the updater takes its own sweet time notifying you when important security updates are available. As the text in the updater dialog box makes clear, you might have to wait between 7 and 30 days after an update is available before you're notified of it. And then you're forced to initiate the update yourself, avoiding the unwanted software along the way. It's no wonder so many people are running outdated and highly vulnerable Java plugins.

I continue to recommend that Windows users avoid installing Java at all, if possible. If you must run it, consider using Ninite to keep it updated in a timely fashion without being annoyed by potentially unwanted software. But for those who aren't aware of options like that, the update process should be fast, accurate, and transparent. Oracle has a responsibility to clean up its act and end its relationship with IAC.
http://www.zdnet.com/a-close-look-at...es-7000010038/





Does Skype Share User Data with the Feds? Privacy Advocates Demand to Know

Privacy advocates and Internet activists call on Skype and Microsoft to open up already about who can access users' sensitive communications
Ted Samson

Dozens of privacy advocates, Internet activists, and journalist have issued an open letter to Skype and Microsoft, calling on the companies to finally get around to being clear and transparent as to who has access to Skype user data and how that data is secured.

The letter specifically urges the companies to follow in the footsteps of Twitter and Google and release period transparency reports that clarify which parties -- including government agencies and business partners -- can see the data.

"Since Skype was acquired by Microsoft, both entities have refused to answer questions about exactly what kinds of user data can be intercepted, what user data is retained, or whether eavesdropping on Skype conversations may take place," reads the letter, signed by such groups as the Digital Rights Foundation and the Electronic Frontier Foundation.

Noting that users from all walks to life, from political activists to journalists to businesses, rely on Skype for secure communications of often-sensitive information, the signers deemed it "unfortunate that these users, and those who advise them on best security practices, work in the face of persistently unclear and confusing statements about the confidentiality of Skype conversations, and in particular the access that governments and other third parties have to Skype user data and communications."

The letter says that Microsoft has had sufficient time since acquiring Skype to come up with answers to questions surrounding lawful access, user-data collection, and the degree of security of Skype communications.

For example, the group notes that back in June 2008, Skype had said that it could not eavesdrop on user conversations due to its peer-to-peer architecture and encryption techniques. The company also asserted that it was not required to comply with expanded CALEA (the Communications Assistance for Law Enforcement Act) rules on wiretapping as long as it was based in Europe. However, now that a U.S.-based company owns Skype, it may be required to comply with CALEA. Furthermore, "as a U.S.-based communication provider, Skype would therefore be required to comply with the secretive practice of National Security Letters" issued by the federal government, the transparency proponents note.

The group also notes that in 2012, "the FBI stated that it had issued a warrant for chats going back to 2007, and that it had used those chats as evidence as the basis for criminal charges. This contradicts Skype's own policy stating that chats are retained for a maximum of 30 days."

The group proposal is for Skype to release period transparency reports, à la Twitter and Google, that include:

• Quantitative data regarding what sort of Skype user information is released to third parties, including who is requesting what kind of data and which requests are fulfilled

• specific details of all user data Microsoft and Skype currently collects, and the retention policies for that data.

• Skype's best understanding of what user data third parties may be able to intercept or retain, including network providers or potential malicious attackers.

• Details on the relationship between Skype with third-party licensed users of Skype technology, including the surveillance and censorship capabilities users may be subject to if they use these alternatives.

• The company's policies and guidelines for employees insofar as handing requests for user data from law enforcement and intelligence agencies

https://www.infoworld.com/t/internet...nd-know-211507





Sweden Enters Fray in EU Data Privacy Fight
David Landes

Swedish MEP Anna Maria Corazza Bildt and tech industry experts on Monday warned that draft legislation updating the EU's outdated data privacy protection rules pose a threat to Europe's competitiveness.

"The new regulation has implications for both civil liberties and the internal market," Corazza Bildt, a member of Sweden's Moderate Party, told a gathering of data privacy experts in Stockholm on Monday.

The seminar, arranged by the American Chamber of Commerce in Sweden and the US business analytics firm SAS Institute, looked at the would-be implications of draft privacy protection legislation introduced in early 2012 by European Justice Commissioner Viviane Reding.

The draft legislation would replace the EU's 1995 Data Protection Directive, which was drawn up prior to widespread use of the internet and the explosive growth in personal computers and smartphones of the last decade.

Among other things, the new regulation calls for stronger privacy protections for European consumers, including more control over the storage and dissemination of their personal data.

It would also clarify where companies operating in several EU members states should turn when it comes to abiding by the regulation.

The draft has since been reviewed by the European Parliament's Civil Liberties, Justice and Home Affairs Committee, which has also presented a modified version of the legislation referred to as the Albrecht Draft, named after the German Green Party MEP Jan Philipp Albrecht who led the parliamentary review.

The contentious legislation, scheduled to be passed next year and come into force in 2015, has prompted a heated debate among privacy advocates, business groups, and data protection officials about what sort of protections should be given to different types of data.

They have also debated the potential implications the rules will have for innovation, cross-border trade, and consumer privacy rights.

According to Corazza Bildt, it is nearly impossible to avoid "ideological battles" related to the thorny issue of protecting personal data, while at the same time attacking the Albrecht Draft for having the potential to "restrict, damage, and revolutionize" the way the internet is used.

"We're already sharpening our knives when it comes to amendments," she said.

The issue has also grabbed the attention of the Swedish government, which is calling for a "technology neutral" and "future proof" approach that avoids having rules based on any specific technology.

"The new rules must be relevant for at least ten years and allow for innovation and new business models," said Magnus Graner, a top advisor to Swedish Justice Minister Beatrice Ask.

And while the government wants technology-neutral laws, they should be tailored after the data in question, said Graner. He outlined the desire to develop a "risk-based" approach that includes different rules and sanctions for different types of data.

The protections afforded someone's health information, for example, should not be treated in the same way as an email exchange between friends or the exchange of business contact information between companies.

"Of course, the devil is in the details," said Graner, echoing a common theme regarding the difficulty of drawing up a common set of rules that would end up defining when data became "personal".

"There is also the need for great caution in order not to overburden corporations and public authorities," he added.

Sweden was held up by many at the seminar on Monday as a leader when it comes to data protection, having passed its first law in 1973.

Currently, Sweden employs a "risk-based" or "differentiated" approach to data protection that has been an inspiration in drafting new EU rules.

Sweden also employs an "abuse model" of enforcement, whereby specific data handling practices are not sanctioned until it becomes clear that people's data is being misused.

"First we issue a warning explaining that the practices aren't in line with the rules, and if the behaviour doesn't stop, then we always have the threat of fines," Hans-Olof Lindblom, general counsel for the Swedish Data Inspection Board (Datainspektionen) explained.

He said his agency is concerned about the draft EU legislation because it threatens to undermine the respect his agency has built up as a trusted arbiter of data protection issues.

"It's really about credibility," he said.

"If we are forced to abide and enforce a set of unworkable rules, people will lose faith in our agency."

Lindblom hopes that the views of his agency and the Swedish government will be taken into account in any final legislation, but admitted it is too early to tell what will happen.

Rene Summer, head of government relations for Swedish telecom giant Ericsson, echoed Lindblom's hopes that new EU rules would incorporate a more "participatory" approach to enforcement.

"We need to be able to learn from our mistakes," he said.

"There needs to be other enforcement strategies other than blunt fines."

He warned that refusing to include a more differentiated approach to EU data privacy rules would end up "deflecting internet and communications technology investments away from the EU".

And while Summer's company shared the policy goal of data protection with policymakers in Brussels, Summer argued that "the path chosen by the EU is not a good one"

"If European policy makers want to make the EU and attractive place for IT companies to invest and do business, there needs to be more room for discretion on and judgment," he said.
http://www.thelocal.se/45734/20130121/





Kim Dotcom Wants to Encrypt Half of the Internet to End Government Surveillance
Andrew Blake

In an in-depth interview, Megaupload founder Kim Dotcom discusses the investigation against his now-defunct file-storage site, his possible extradition to the US, the future of Internet freedoms and his latest project Mega with RT’s Andrew Blake.

The United States government says that Dotcom, a German millionaire formerly known as Kim Schmitz, masterminded a vast criminal conspiracy by operating the file-storage site Megaupload. Dotcom, on the other hand, begs to differ. One year after the high-profile raid of his home and the shut-down and seizure of one of the most popular sites on the Web, Dotcom hosted a launch party for his latest endeavor, simply called Mega. On the anniversary of the end of Megaupload, Dotcom discusses the year since his arrest and what the future holds in regards to both his court case and the Internet alike. Speaking with RT’s Andrew Blake from his Coatesville, New Zealand mansion, Dotcom weighs in on the US justice system, the death of Aaron Swartz, the growing surveillance state, his own cooperation with the feds and much more.

RT: You’ve blamed President Obama and the Obama administration for colluding with movie companies in order to orchestrate this giant arrest here in New Zealand. Is this kind of give-and-take relationship between Washington and Hollywood all that you say it is? Or are you just the exception? Does this really exist?

Kim Dotcom: You have to look at the players behind this case, okay? The driving force, of course, is Chris Dodd, the chairman of the MPAA [Motion Picture Association of America]. And he was senator for a long time and he is — according to [US Vice President] Joe Biden — Joe Biden’s best friend. And the state attorney that is in charge of this case has been Joe Biden’s personal counsel, Neil MacBride, and [he] also worked as an anti-piracy manager for the BSA, the Business Software Association, which is basically like the MPAA but for software companies.

And also, the timing is very interesting, you know? Election time. The fundraisers in Hollywood set for February, March [and] April. There had to have some sort of Plan B, an alternative for SOPA [the Stop Online Piracy Act], because the president certainly was aware — and his team at the White House was aware — that if they don’t have anything to give at those fundraisers, to those guys in Hollywood who are eager to have more control over the Internet, they wouldn’t have probably raised too much. And Hollywood is a very important contributor to Obama’s campaign. Not just with money, but also with media support. They control a lot of media: celebrity endorsements and all that.

So I’m sure the election plays an important role. The relationships of the people that are in charge of this case play an important role and, of course, we have facts that we want to present at our extradition hearing that will show some more detail about this and that this is not just some conspiracy theory but that this actually happened.

RT: The US Justice Department wants to extradite you, a German citizen living in New Zealand operating a business in Hong Kong. They want to extradite you to the US. Is that even possible?

KD: That is a very interesting question because the extradition law, the extradition treaty in New Zealand, doesn’t really allow extradition for copyright. So what they did, they threw some extra charges on top and one of them is racketeering, where they basically say we are a mafia organization and we set up our Internet business to basically be an organized crime network that was set up and structured the way it was just to do criminal copyright infringement. And anyone who has every used Megaupload and has any idea about how that website worked knows immediately that it was total nonsense. But they needed to chop that on in order to have even a chance for extradition. But in our opinion, you see, all of that was secondary. The primary goal was to take down Megaupload and destroy it completely. That was their mission and that’s why the whole thing in Hong Kong, for example, they called it Operation Takedown. And I think everything that’s happening now, they are trying on the fly to doctor it around, and found a way to find a case. They probably came here and thought, “We will find something; that these guys have done something wrong.” In the indictment, if you actually read that, it’s more like a press release. There’s nothing in there that has any merits.

RT: When the raid happened one year ago today, it got a lot of people talking both about the Internet and about this character, Kim Dotcom. But it was a lot of talking and not so much action, because here it is one year later and this case is still happening. Back up earlier this month, and we saw Aaron Swartz — an online information activist — pass away, and only in his mid-20s. And it got a lot of people talking, so much so that members of Congress have actually asked for changes to federal computer laws so that this doesn’t happen again. What is it actually going to take to get people to stop just talking and to actually start acting?

KD: Our case is going to be the one that will have much more attention down the road because it is a crucial case for Internet freedom. And I think more and more people realize that and the government is quite exposed here because they really went in with completely prosecutorial abuse and overreach and ignoring due process, ignoring our rights, spying on us, illegal search warrants, illegal restraining orders, illegal spying. The whole picture, when you look at it, shows that this was an urgent mission, done on a rush. “Take them down, I want them to go.” And it was a political decision to do that. And the execution was extremely poor, and the case is extremely poor, because that is something they thought that they could worry about later. It was all about the takedown. “Let’s send a strong message to Hollywood that we are on their side.”

RT:And now it’s been a year and nothing has progressed. At least for them. It seems like the case is falling apart day by day.

KD: Let me give you one example of how crazy this is. We have a judge here who said, “Please show us your evidence about your racketeering allegations. Show us that these guys were setting up some sort of organized crime network,” because that’s what the extradition will focus on primarily. They are using the organized crime treaty to get us extradited. So the US appealed that and said, “We don’t want to show you what we have.” And then they appealed to the high court and the high court then said, “We want to see it.” And they just keep appealing it, all the way to the court of appeals and to the Supreme Court. And what does that tell you? If you don’t even want to show us your cards — show us what you have! If you have such a strong case and are seriously interested about getting someone extradited, why waste all this time? Just show your hand. And they don’t have anything because we haven’t done anything wrong. We were law abiding. We were a good corporate citizen. And they knew that the time they came here to do this. They just wanted to take us down.

RT :The new program, Mega, is fully encrypted, and you’re touting it as an encrypted program so that people will want to use it. Do you think this is even necessary, right now, that people need encryption on the Internet?

KD: I think it’s important for the Internet that there is more encryption. Because what I have learned since I got dragged into this case is a lot about privacy abuses, about the government spying on people. You know, the US government invests a lot of money in spy clouds: massive data centers with hundreds of thousands of hard drives storing data. And what they are storing is basically any communication that traverses through US networks. And what that means they are not spying on individuals based on a warrant anymore. They just spy on everybody, permanently, all the time. And what that means for you and for anybody is that if you are ever a target of any kind of investigation, or someone has a political agenda against you, or a prosecutor doesn’t like you, or the police wants to interpret something in a way to get you in trouble — they can use all that data, go through it with a comb and find things even though we think we have nothing to hide and have done nothing wrong. They will find something that they can nail you with and that’s why it’s wrong to have these kinds of privacy abuses, and I decided to create a solution that overtime will encrypt more and more of the internet. So we start with files, we will then move to emails, and then move to Voice-Over-IP communication. And our API [Application Programming Interface] is available to any third-party developer to also create their own tools. And my goal is, within the next five years, I want to encrypt half of the Internet. Just reestablish a balance between a person — an individual — and the state. Because right now, we are living very close to this vision of George Orwell and I think it’s not the right way. It’s the wrong path that the government is on, thinking that they can spy on everybody.

RT: Long before Megaupload was ever taken down, the Justice Department was looking into Ninja Video and you actually cooperated with them. People want to know: how is Kim Dotcom, this guy who is incredibly against Washington and hates everything that they’ve done to him, how is this same guy also helping out the Justice Department?

KD: Let me explain to you how this worked, okay? I was a good corporate citizen. My company was abiding to the laws. If we get a search warrant or we get a request by the government to assist in an investigation, we will comply and we have always complied. And that is the right thing to do, because if someone uploads child pornography or someone uploads terrorist stuff or anything that is a serious crime, of course we are there to help. This is our obligation. And I am not for copyright infringement. People need to understand that. I’m against copyright infringement. But I’m also against copyright extremism. And I’m against a business model: the one from Hollywood that encourages piracy. Megaupload is not responsible for the piracy problem, you see? It’s the Hollywood studios that release a movie in the US, and then six months later in other parts of the world. And everyone knows that the movie is out there and fans of a particular actress want to have it right now, but they are not giving them any opportunity to get access to that content even though they are willing to pay. And they are looking for alternatives on the Internet, and then they find them. They are trying to make me responsible for their lack of ability to adapt to a new reality, which is the Internet, where everything happens now. It doesn’t happen three months later. Imagine you go to Wikipedia. You want to find something, research an article, and they tell you to come back in three months, ‘We’ll give it to you then.’ If you find another site where you can get it right now, that’s where you go, right? So it’s really their business model that is responsible for this issue. And if they don’t adopt, they will be left behind on this side of the road of history like many others who haven’t adopted in the past.

RT: What about your skeptics who point out this big playboy lifestyle and this giant, elaborate house and say ‘He’s not worried about Internet freedoms, he’s just worried about protecting his profits’?

KD: Let me be clear: I am a businessman, okay? I started Megaupload as a business to make money. I wanted to list the company. I am an entrepreneur, alright? I’m not Aaron Swartz. Aaron Swartz is my hero. He was selfless. He is completely the opposite of me, but I’m a businessman. I’m driven by the success of achieving something in the business world. That’s not a crime. There is nothing wrong with that. And if you create something that is popular and that people want to use, you automatically make money. And I’ve always been an innovator. I’ve always created products that people like. And that’s why I’m successful. I’m not successful because people have used Megaupload for copyright infringement. And what everyone needs to understand [is] there have been massive amounts of legitimate users on Megaupload. We don’t believe that 50 million users a day are all just transferring piracy. That’s wrong. A lot of people have used it to back up their data, to send a file quickly to a friend. Young artists have used it to get traction, to get downloads, to get known. There was a lot of legitimate use on Megaupload. It’s a dual-use technology, just like the Internet. You can go to any ISP right now, anyone who connects customers to the Internet. And if they are honest to you and you ask them the question ‘How much of your traffic is peer-to-peer piracy?’ anyone who will tell you less than 50 percent is lying to your face. This is a problem of the Internet and not Megaupload.

RT: If you weren’t doing Mega, or Megaupload, what would you be doing? Here’s this businessman who strives to accomplish success. What would you be doing?

KD: I would probably build spaceships and we would probably already be on Mars.

RT: What happens next, though? What are the chances of Mega being shut down. We already saw that radio stations were pulling ads.

KD: The content industry is still very emotional about us.We bought radio ads with one of the major networks here for eight radio stations. Very funny, very cool ads, promoting our service as a privacy service. And the labels called up the radio station, and one advertiser who is in the movie business called up the radio station, and demanded those adds to be taken down or else they will not buy ads from them anymore. And they were forced because they rely, of course, on that advertisement. My campaign was comparably small to the amount that they are sending. So they used their power to interfere in our right to have a media campaign, an ad campaign. And that just shows you that attitude. It’s against the law. They can’t do that. That’s interfering in our business and they have done that many times in the past. Calling payment processors, calling advertisers, telling them, ‘I don’t want you to work with these guys.’ That’s just wrong. If you have an issue with us, go hire a lawyer, sue us, take us to court and then see if you have anything that will give you a judgment against us. But instead, they use that power and their money to get new laws made for them, to lobby politicians, to get the White House to come here and destroy our lives. Destroy 220 jobs. Hardworking innocent people and they don’t give a damn about that. They had an agenda that is about more control over the Internet. And they made a strategic decision to say ‘Who are we going to take out to send a strong message?’ And I was the one.

RT: But what happens if Mega is shut down? You are only on day one right now. How long is it going to take before the government steps up again and what are you going to do if that happens? Are you prepared to just start all over again? It’s been one year and here you are, doing this over again, what happens when Uncle Sam puts his foot down and grinds you into the dirt again? Do you get back up?

KD: Here is the thing. This startup is probably the most scrutinized when it comes to legal advice. Every single aspect of it has been under the looking glass by our legal team. So we are confident that it’s fully compliant with the law, and if they come to attack us it’s just going to backfire. Exactly like the Megaupload case did. The shutdown of our site backfired already, massively. And it’s just going to get worse for them. If they think they can pursue this and get away with this, they are dead wrong. Because the society is not on their side. Everyone who uses the Internet knows what’s going on here. They don’t like what’s going on here. They saw it with SOPA and you will see it with our case. People will come together and fight this kind of aggression against innovation and Internet freedom.

RT: After Megaupload was shut down by the FBI last year, hacktivist with the movement Anonymous retaliated, so to speak. In response, they went and took down the websites for the FBI, the Motion Picture Association of America, the Department of Justice, the Recording Industry Association of America. All of these organizations were shut down by Anonymous in response to what they did to you. These were people who you never met but were so moved by what happened that they had to stand up and do something. Did you ever thank them, and how did you take it? How did you respond to their reaction?

KD: It’s a kind of virtual protest, you know? I think it’s not a good idea to shut down websites. I’ve been a hacker myself. I understand why they are doing it and how they are doing it, but I think there are better ways to protest. Where you organize yourself in a group and do petitions and actually email congressmen, email your local politicians, let them know about what you don’t like. Organize your movement rather than attacking. I had a sense of understanding for them because everyone had stored so much data on Megaupload, and then all of a sudden a site like that disappears and billions of files are taken offline, the majority of them perfectly legitimate. You need to understand one thing: 50 percent of all files that were ever uploaded to Megaupload have not even been downloaded once. That clearly shows the non-infringing use. People just wanted to store their stuff on our site. And of course they were outraged when that disappeared and the government said, ‘We don’t give a care and we don’t give a damn about you people. We don’t care that you have your personal documents there because we have our agenda and we are going to take over the Internet.’ And you know the White House was supporting SOPA, and only when the masses came together — and Aaron Swartz: he stopped SOPA. With his efforts, he stopped SOPA. And he became a target. A political target, okay? And that’s why all these things happened to him. There is no reasonable cause behind going after a young genius like that in the fashion they did. It’s political. Because the White House wanted SOPA. They promised it to Hollywood and they failed and they couldn’t go ahead because the White House was afraid if they keep pushing hard and they keep pushing it forward, that the people who oppose it are not going to vote for Obama in the reelection campaign. So it’s all a game to them really and we are all the little puppets that they think they can kick around. So we need to organize. There needs to be a movement that identifies these things and fights that. Not with shutting down websites but with real protests. Going out on the streets, writing to politicians and especially, most importantly, don’t vote for the guys that are against Internet freedom. Anyone who voted for SOPA, you should have a close look at that guy. Do I want to give him my vote next time around? Because that’s the only language politicians understand is your vote. And if you can bring all these votes together, somehow pooled for Internet freedom, you will see all these efforts disappear. Because at the end of the day, they represent the public. Politicians represent the public. And when they have enough pressure they can’t move forward. And SOPA was the best example for that.
https://rt.com/usa/news/kim-dotcom-interview-mega-673/





Megabad: A Quick Look at the State of Mega’s Encryption

Puzzling design choices and potential holes make the service a mixed bag.
Lee Hutchinson

The news this past weekend was all Mega, Mega, Mega. We've covered the launch of the new "cyber locker" service (and I swear that's the last time I'll ever use the prefix "cyber") and we've talked with Kim Dotcom himself, but the shiniest feature—the encryption methodology—has remained unexplained.

Mega has an entire page dedicated to explaining to developers how its API works, and the page contains some high-level details of what encryption methods the service uses and where they're used. There are actually several different things going on, and it's not as simple (or as secure) as it appears at first blush.

Block object storage

Mega's documentation notes it uses a "hierarchical file/folder paradigm," which is a fancy way of saying that it organizes your data into files and folders, just like your local file system. Every file or folder has an identifying data structure called a node (sort of analogous to an inode in a Unix-y file system) and every node has a parent node; in this way, the "file/folder" paradigm is maintained even if all the Mega service can see are flat encrypted blocks. There are three parentless root container nodes for each account—one for the root file folder, one for the inbox, and one for the trash.

Each node contains an attribute block and data blocks. The attribute block for the node currently is only used to contain the name of the data object associated with the node—the name of the file or folder, in other words—but the docs note that in the future more data can be squeezed into the attribute block, including user-to-user messages for different users to collaborate on files. The attribute and data blocks are both encrypted, separately, with AES-128.

Encryption

The "Cryptography" section of the docs starts like this:

All symmetric cryptographic operations are based on AES-128. It operates in cipher block chaining mode for the file and folder attribute blocks and in counter mode for the actual file data. Each file and each folder node uses its own randomly generated 128 bit key. File nodes use the same key for the attribute block and the file data, plus a 64 bit random counter start value and a 64 bit meta MAC to verify the file's integrity.

Files and folders, therefore, are encrypted with symmetric encryption. Symmetric encryption means the same key is used to encrypt and decrypt your data; this less computationally-intensive and easier to implement than asymmetric encryption, which we'll get to in a moment.

AES-128 is a well-known and widely used block cipher. It works by applying a transformation to a fixed-length piece of data, with the exact nature of that transformation being determined by an encryption key. To decrypt, the process is applied in reverse, again using the same key. For the data stored in Mega, the encryption key used is generated for you at the time of sign-up and is itself encrypted using your account's password.

Before we go any further, let's stop to look at the potential implications. The key used to encrypt your Mega files and folders is stored on Mega's servers, rather than on your local computer. It is telling that there appears to be no password recovery mechanism anywhere in the Mega or log-on screens, nor any method of changing your password in the user control panel. Because the master AES-128 key is encrypted using your password, remembering the password is vital. Losing it means you don't just lose the ability to log on to the service—you lose the ability to decrypt your files, period.

More encryption

There's not just AES-128 encryption happening, though. Each user account also has a 2048-bit RSA key pair generated during sign-up. This is a separate asymmetric encryption method, and it's employed to let users of the Mega service send messages and files securely to each other.

Without getting too far off in the weeds discussing asymmetric encryption, here's the gist: rather than one key that encrypts and decrypts data, everyone gets a pair of keys, called a public key and a private key. Messages encrypted with the public key can only be decrypted with the private key, and vice-versa. The public key can be used by anyone to send a message that can only be read by the person who possesses the private key; on the other hand, the private key can be used to send a message that can be decrypted by anyone with the public key (this is useful when you need to positively identify who you are—assuming you're the only person with access to your private key, anyone can verify that you're you because they can read your messages using your public key). Presumably, users on the Mega service encrypt messages and files they send back and forth to each other with each other's public keys.

The documentation is ambiguous on exactly how the RSA private key is kept secure:

In addition to the symmetric key, each user account has a 2048 bit RSA key pair to securely receive data. Its private component is stored encrypted with the user's symmetric master key.

It's annoyingly unclear if this means the RSA private key is encrypted using the user's symmetric master key, or if the RSA private key is stored, encrypted, alongside the symmetric master key. It's likely the former, though.


Poking holes

On the surface, things look relatively secure. Objects are encrypted with AES-128, and there's separate encryption method for sending secure messages between users. Here's where things start to fall down, though.

The biggest problem with Mega's methods is the lack of entropy gathered in the generation of the RSA key pair. An encryption key needs to be difficult to guess, and so typically when one is generated it is created randomly by an algorithm. Computers, though, are notoriously non-random, and so the "random" numbers generated by their random number generation routines need to be supplemented by a factor called entropy. Entropy is "true" randomness, gathered by the computer from various sources—keypresses and mouse movements, or sound from a microphone, or any number of other things. Some modern CPUs even contain "true random number generators," which use random atomic vibrations in the CPU as entropy sources.

The more entropy you have available, the more "unguessably" random your key generation will be. If you're generating an RSA key pair at the command prompt using a tool like openssl, this is handled for you automatically. Unfortunately for Mega, it's generating the RSA keys with Javascript, and the method employed doesn't do a very good job at all of capturing entropy.

Nadim Kobeissi, developer of the open source cryptographic chat application Cryptocat, did a fair amount of tweeting on the subject Saturday evening after Mega launched. He noted Mega uses the Javascript math.random function as the basis of its random number generation. Mega does apparently capture mouse and keyboard input to add more entropy, but the message displayed during the key generation is bafflingly misleading:

"To strengthen the key, we have collected entropy from your mouse movements and keystroke timings." So, wait—should I wiggle my mouse now, or is it too late?

Without adding entropy, the "random" primes generated by math.random for use as RSA keys are really only pseudo-random and can be guessed. The end result of this is that it is easier (not easy, but easier) to reverse-engineer a Mega user's private RSA key than it should be. That means it's easier to spoof the identity of a Mega user when sending messages or files.

Deduplication: Another quandary

There's another issue besides identity spoofing: Mega's terms of service contain the following puzzler:

8. Our service may automatically delete a piece of data you upload or give someone else access to where it determines that that data is an exact duplicate of original data already on our service. In that case, you will access that original data.

This sounds a lot like deduplication—only storing each unique chunk of data once to save storage space. The AES-128 encryption used for the node data blocks should ensure that every encrypted block is unique, even encrypted blocks made up of two copies of the same file. If Mega only sees encrypted data, which by definition is all completely unique, how then can they be "deduplicating" it? Is something fishy going on?

There is a lengthy discussion at Hacker News on the subject, which has a number of theories, including that Mega is using convergent encryption to identify non-unique blocks, or that the service's CBC-MAC-based integrity checking is used as the basis for deduplication (though this doesn't seem like it would work across accounts, since CBC-MAC uses the user's encryption key, and the same block processed with two different keys would yield two different MACs).

Whatever the underlying method, the fact that block deduplication exists is a blow against the "see no evil" approach taken by Mega. By itself, a global method of identifying specific data doesn't necessarily mean anything; however, the implication is that a uniquely identifiable thing can be derived from any given piece of data. This returns some burden to Mega—rather than throw up its hands and say that it has no idea what Mega users Alice or Bob have in their Mega accounts, there apparently is a way of telling whether or not Bob and Alice have the same file or files. If the MPAA gets wind that Bob is hosting a copy of The Hobbit: An Unexpectedly Long Movie in his Mega folder, and Alice also happens to have the same file in her Mega folder, it's trivial to prove that Alice has the same file—in fact, the nature of deduplication means there's some record of every deduplicated block, and therefore every other infringing user.

Why is it all like this?

A lot of the issues with Mega's cryptographic implementation appear to be tied with the desire to make the service as "thin" as possible, requiring only a Javascript-capable browser (preferably Chrome, according to Mega). On one hand, this means there's no client required, and the Web browser itself functions as the application platform—this simplifies the testing and deployment of new Mega features, since all Kim Dotcom's guys have to do is update the site's Javascript files. It also immediately buys total cross-platform compatibility, working on any computer in (just about) any browser.

On the other hand, the documentation and implementation have no small number of weaknesses and potential exploits. The RSA key pair generation process needs to be overhauled post-haste, and there needs to be some method of backing up and modifying a user's encryption key.

The fact that encrypted data is not a total mystery to Mega is the most troubling issue. On one hand, the reason behind implementing a block-based data deduplication scheme is obvious: storage is cheap, but it's not that cheap, and the distributed infrastructure providers supplying storage to Mega don't have to waste space storing non-unique data—instead of 10,000 copies of The Hobbit, the service would only store a single copy, freeing up terabytes of space (though the scale and scope of the deduplication isn't known yet, so this may be optimistic). On the other hand, even if the service doesn't know those blocks of data happen to be The Hobbit, the service does know which users own those deduplicated blocks, and if one user is implicated, there's proof against all the others, too.

The CTO of Mega, Mathias Ortman, had this to say during the launch press conference: "The encryption is open source. We expect the security community to take a long and hard look and comment on possible weaknesses." It no doubt will, with a vengeance.
http://arstechnica.com/business/2013...as-encryption/





A Word On Cryptography
Mega Blog

The cloud storage market is dominated by players that do not take advantage of cryptography beyond HTTPS and server-side encryption. Since we set out to improve this rather dissatisfying situation three days ago, some news outlets have made attempts to dismantle our crypto architecture. Frankly, we were not too impressed with the results and would like to address the points that were raised:

ars technica: "Megabad: A quick look at the state of Mega's encryption"

"The key used to encrypt your Mega files and folders is stored on Mega's servers, rather than on your local computer."

This is correct - the only key that MEGA requires to be stored on the user side is the login password, in the user's brain. This password unlocks the master key, which in turn unlocks the file/folder/share/private keys.

"It is telling that there appears to be no password recovery mechanism anywhere in the Mega or log-on screens, nor any method of changing your password in the user control panel." Because the master AES-128 key is encrypted using your password, remembering the password is vital. Losing it means you don't just lose the ability to log on to the service - you lose the ability to decrypt your files, period.

This is correct (and comes as no surprise) - however, this will change in the near future:

• A password change feature will re-encrypt the master key with your new password and update it on our servers

• A password reset mechanism will allow you to log back into your account, with all files being unreadable. Now, if you have any pre-exported file keys, you can import them to regain access to those files. On top of that, you could ask your share peers to send you the share-specific keys, but that's it - the remainder of your data appears as binary garbage until you remember your password.

"Without adding entropy, the "random" primes generated by math.random for use as RSA keys are really only pseudo-random and can be guessed."

This is correct - and quite a strange statement to make after conceding that mouse and keyboard entropy are indeed used to enhance Math.random(). We will, however, add a feature that allows the user to add as much entropy manually as he sees fit before proceeding to the key generation.

[On deduplication] "Whatever the underlying method, the fact that block deduplication exists is a blow against the "see no evil" approach taken by Mega."

Fact #1: Once this feature is activated, chunk MACs will indeed be stored on the server side, but they will of course be encrypted (and we will not use ECB!). Fact #2: MEGA indeed uses deduplication, but it does so based on the entire file post-encryption rather than on blocks pre-encryption. If the same file is uploaded twice, encrypted with the same random 128-bit key, only one copy is stored on the server. Or, if (and this is much more likely!) a file is copied between folders or user accounts through the file manager or the API, all copies point to the same physical file.

Forbes: Researchers Warn: Mega's New Encrypted Cloud Doesn't Keep Its Megasecurity Promises

"So Mega, or anyone else who gains control of the Mega server sending the crypto algorithms, can turn off that encryption or steal the user's private key, which would allow decryption of all past and future uploads."

Correct. Fact #1: Our FAQ states exactly that and warns people that do not trust us to refrain from logging into the site (but they could, in theory, still safely use MEGA through client apps from vendors they trust). Fact #2: Any software maker offering online application updates is able to plant Trojan code into specific targets' computers, with much more far-reaching consequences.

"If you can break SSL, you can break MEGA."

Yes. But if you can break SSL, you can break a lot of things that are even more interesting than MEGA.

"To make matters worse, Mega's SSL server seems to use weak 1024-bit encryption, rather than the 2048-bit encryption considered the minimum standard by many cryptographers for a decade. (This 2004 study, for instance, that declared 1024-bit keys would only be secure until 2006.)"

Fact #1: https://mega.co.nz/ uses 2048-bit encryption. Fact #2: https://*.static.co.nz/ uses 1024-bit encryption. Fact #3: All active content loaded from these "insecure" static servers is integrity-checked by JavaScript code loaded from the "secure" static server, rendering manipulation of the static content or man-in-the-middle attacks ineffective. The only reason why HTTPS is supported/used at all is that most browsers don't like making HTTP connections from HTTPS pages. And, using more than 1024 bit would just waste a lot of extra CPU time on those static servers. Fact #4: This has been covered in our FAQ from the beginning.

John Hopkins cryptographer professor Matthew Green says that Mega's claims of a Javascript verification system "make no sense." ... "If the Javascript is verifying itself, it's like trying to pick yourself up by our bootstraps, which doesn't work," says Green. "You need something trusted on the user's machine to check the Javascript, and they don't have that."

Please do not rely on hearsay, even if you are a cryptographer professor. Instead, go to the actual site and look at the actual code. Fact #1: The JavaScript is not verifying itself. Fact #2: A piece of JavaScript coming from a trusted, 2048-bit HTTPS server is verifying additional pieces of JavaScript coming from untrusted, HTTP/1024-bit HTTPS servers. This basically enables us to host the extremely integrity-sensitive static content on a large number of geographically diverse servers without worrying about security.

MegaCracker An excellent reminder not to use guessable/dictionary passwords, specifically not if your password also serves as the master encryption key to all files that you store on MEGA.
https://mega.co.nz/#blog_3

















Until next week,

- js.



















Current Week In Review





Recent WiRs -

January 19th, January 12th, January 5th, December 29th

Jack Spratts' Week In Review is published every Friday. Submit letters, articles, press releases, comments, questions etc. in plain text English to jackspratts (at) lycos (dot) com. Submission deadlines are Thursdays @ 1400 UTC. Please include contact info. The right to publish all remarks is reserved.


"The First Amendment rests on the assumption that the widest possible dissemination of information from diverse and antagonistic sources is essential to the welfare of the public."
- Hugo Black
JackSpratts is offline   Reply With Quote
Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Peer-To-Peer News - The Week In Review - July 16th, '11 JackSpratts Peer to Peer 0 13-07-11 06:43 AM
Peer-To-Peer News - The Week In Review - July 9th, '11 JackSpratts Peer to Peer 0 06-07-11 05:36 AM
Peer-To-Peer News - The Week In Review - January 30th, '10 JackSpratts Peer to Peer 0 27-01-10 07:49 AM
Peer-To-Peer News - The Week In Review - January 16th, '10 JackSpratts Peer to Peer 0 13-01-10 09:02 AM
Peer-To-Peer News - The Week In Review - December 5th, '09 JackSpratts Peer to Peer 0 02-12-09 08:32 AM






All times are GMT -6. The time now is 02:30 AM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
© www.p2p-zone.com - Napsterites - 2000 - 2024 (Contact grm1@iinet.net.au for all admin enquiries)